User credentials consist of a combination of a username and password, which together permit access to individual accounts and the resources for which that user is authorized. The safe-keeping of each credential is the responsibility of the user.
Users should not disclose or share credentials. However, they may, at their discretion, share credentials with ITS personnel in order to facilitate troubleshooting and/or repair efforts in their absence.
Credentials must never be shared in any form of non-encrypted electronic communications or in which parties cannot be verified. Users must immediately change their password after sharing it (see Password Protection below).
Passwords must be sufficiently complex in order to deter certain types of guessing or brute force attacks. Therefore, all passwords must conform to the convention and change intervals defined by ITS as it appears on the Password Standards page of myPlymouth. Effective February 2013, PSU employees will be required to change their passwords at least every 180 days.
In the event a user discloses his or her credentials to an unauthorized party, the password must be changed immediately.
Due to the complexity requirements in conjunction with the number of passwords people have, people may wish to write them down. If such is the case, people must ensure the written password is adequately secured in a locked location, kept in a password-protected file or other secure method. Users should refrain from posting passwords on computer monitors, hiding pieces of paper under keyboards or other similar methods.
Server- and System-Level Passwords
All server/system-level passwords must be changed from vendor defaults and/or after an employee with whom the account was shared is no longer authorized to access the account(s).
All server/system-level passwords must be no less complex than standard user passwords.
Simple Network Management Protocol (SNMP) community strings must be changed from system defaults and must be different from the passwords used to log in interactively. A keyed hash must be used where available.
All passwords are confidential. If an account or password is suspected to have been compromised, report the incident to the Chief Security Officer and immediately change the affected password(s).
Since all users are responsible for the safe-keeping of their passwords, they may be held responsible for activity from systems that are accessed with their credentials.
New Account Creation
All authorized users shall be issued credentials using a process defined by ITS. For new hires, this process shall be defined and agreed upon by ITS and Human Resources. Additional authorizations and/or credentials shall be issued as appropriate to any user requiring access to resources not accessible using their standard credentials.
For employees, such authorizations shall be modified as required by the user’s job responsibilities.
Access shall be de-provisioned and/or modified upon any change in the user’s relationship with PSU.
Employee workstations must be locked when unattended. This may be either a manual action or in conjunction with a screen saver that locks the workstation upon activation. Limits are determined based on computer type and use. For example, cluster, instructor and employee workstations will each require different activation times. These time-out intervals are defined by ITS as it appears on the Password Standards page of myPlymouth.