Password Management

Department of Information Systems

Standard Statement - SS-70-002

1.0 Purpose

Information handled by computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Effective controls for logical access to information resources minimize inadvertent employee error and negligence, and reduce opportunities for computer crime. Each user of a mission critical automated system is assigned a unique personal identifier for user identification. User identification is authenticated before the system may grant access to automated information. Passwords are used to authenticate a user's identity and to establish accountability.

2.0 Scope

This standard statement applies to all state agencies, boards, commissions and institutions of higher education.

3.0 Background

The Arkansas Information Systems Act of 1997 (Act 914, 1997) gives the Office of Information Technology the authority to define standards, policies and procedures to manage the information resources within the state. This is accomplished through work with a multi-agency working group known as the Shared Technical Architecture Team In addition, Act 1042 of 2001 states that the Executive Chief Information Officer oversee the development of information technology security policy for state agencies.

4.0 References

4.1 Arkansas State Government Information Resources Security Policy Guidelines

4.2 Act 914 of 1997: Authorized the Office of Information Technology (OIT) to develop statewide policies.

4.3 Act 1042 of 2001: Authorized the Executive CIO to develop security policy.

5.0 Standard

5.1 At a minimum, passwords shall be changed every 90 days.

5.2 Passwords shall be at least eight characters in length and be a mixture of alpha and nonalpha characters

5.3 User passwords shall not be reused within six password changes.

6.0 Procedures

The agency shall be able to demonstrate compliance.

7.0 Revision History -

8.0 Definitions

8.1 Password: - A secret word or code used to serve as a security measure against unauthorized access to data.

9.0 Related Resources

Password selection guidelines:

• http://www.uic.edu/depts/accctest/accts/password.html
• http://www.ucolick.org/computing/password_selection.html

Password Management

A password is a word or code that is only known by you.

It protects your computer, files, and other confidential information from unauthorized access by others.

Password Requirements

State security standards require you to follow these four (4) rules:

• Passwords must be changed every 90 days.
• Passwords must be at least eight (8) characters long.
• Passwords must be a mixture of letters and numbers.
• Passwords must be changed six (6) times before an old password can be reused.

Tips for Creating a Good Password

• Use a mixture of upper and lower case letters, numbers and punctuation.
• Use the first letter of each word in a phrase that only you know.
• Use an intentionally misspelled word.
• Use your imagination. Creativity increases the chances of having a good password.

Things You Should Never Do

• Do not use any personal information as your password such as family names, pet names, birthdates, etc.
• Do not use your login ID/user ID as your password.
• Do not create a password made up of consecutive numbers or letters. (Example: nnnnnn or 333333)
• Do not write down your password and place where others can see it. Do not tape your password on your monitor, under the keyboard, etc.

Questions?

If you have questions about Password Management policy and standards contact:

Office the Executive Chief Information Officer
(501) 682-4300
http://www.dis.arkansas.gov/security/index.htm

If you have questions about password-related problems (resetting a password, etc.), please contact your network administrator / information technology support staff or contact the Department of Information Systems' Customer Care Center at:

(501) 682-HELP (682-4357)
http://www.dis.arkansas.gov/contact_dis/customer_care.html