Montana State University
Password Guidelines
TABLE OF CONTENTS
1. Overview
2
2. General Password Guidelines
2
3. Administrative System Accounts
2
4. Luminis Portal Accounts
3
5. Windows Domain Accounts
4
6. Windows Server Administrator Accounts
4
7. Windows Service Accounts
5
8. UNIX, Linux, Macintosh, and VMS User Accounts
5
9. UNIX, Linux, Macintosh, and VMS Root Accounts
5
10. Application Accounts
5
MSU Security Operations Team – April 2008
Page 1
1. Overview
As MSU continues to enhance the security of the computing and information environment, an effort has
been undertaken to better protect the accounts that control access to our electronic resources. Passwords
are the first line of defense and one of the most frequently attacked layers of our security model.
Maintaining a strong password is a simple yet effective approach for protecting ourselves from this
threat.
This document provides the minimum password standards for different types of accounts used for
accessing Montana State University (MSU) enterprise-level computer systems, applications, and
information. It establishes guidelines for password strength, password lifecycle, and account lockout
due to inactivity or abuse.
2. General Password Guidelines
Some systems may not be specifically addressed in this document. Where technically feasible, system
users and administrators are expected to follow these basic minimum password guidelines:
Eight character minimum
Upper and lower case letters
At least one number
At least one special character
180-day password lifetime*
Passwords should never contain portions of a user’s name, account name, or any information that can be
personally identifiable with the individual.
* For the purpose of this document, the term “lifetime” refers to the recommended lifespan of a
password. When the lifespan has been reached, it will be up to the user to change the password. The
term “expiration” refers to the forceful expiration of a password by the server or application.
3 Administrative Systems User Accounts
MSU collects and maintains administrative data vital to the mission of the university. This data includes
detailed records on students, staff, and faculty that is required for day to day operations. Ensuring the
security of this information is critical to MSU and as such, several layers of protection are in place to
safeguard against exposure. The first line of defense lies with the security of the accounts used to access
and administer this data. These guidelines are meant to reduce the risk of exposure through
compromised accounts.
MSU Security Operations Team – April 2008
Page 2
For the purpose of this document, administrative data includes personnel records, financial records, and
all student records (prospective, current, and alumni). This includes, but is not limited to Banner user
accounts and Microsoft Access reporting applications. The following password guidelines apply to all
systems providing access to administrative data:
Eight character minimum
Upper and lower case letters
At least one number
At least one special character*
Accounts lock after five login attempts
Failed password lock-out time is 10 minutes
Recommended password lifespan is 180 days
Passwords cannot be reused for 180 days
* Due to restrictions with Oracle and the Banner application, special characters are limited to the
following: ! + - / _ ?
4. Luminis Portal Accounts
Like administrative system user accounts, Luminis portal accounts contain sensitive information such as
student and financial records. Password guidelines for Luminis portal accounts are as follows:
Eight character minimum
20 character maximum
Upper and lower case letters
At least one number
At least one special character*
180-day password expiration
Accounts disable after 210 days of inactivity
Failed login attempts based on progressive algorithm
* Special characters are limited to the following: $ * % @ # &
MSU Security Operations Team – April 2008
Page 3
5. Windows Domain Accounts
The password guidelines below apply to all MSU Windows Domains. The intention is that these
standards will align as best possible with those requirements for Luminis portal accounts, thus enabling
the use of the same password for both accounts.
Eight character minimum
Contain characters from three of the following four categories:
o Uppercase letters
o Lowercase letters
o Numbers
o Special characters
180-day password expiration
Four password history
Accounts disable after 10 login attempts within 10 minutes
Seven days must pass before another password change is allowed.
6. Windows Server Administrator Accounts
By definition, server administrator accounts have more authority than user accounts. As such, the
password management requirements are more stringent. Server administrator passwords will be
changed at least every 90 days, or whenever a suspected breach occurs.
12 character minimum
Upper and lower case letters
At least two numbers
At least two special characters
90 day password lifespan
Six password history
Passwords cannot be reused for 365 days
MSU Security Operations Team – April 2008
Page 4
7. Windows Service Accounts
Windows service accounts are used for running individual services on a server, and are not intended for
interactive login. Windows service account passwords will be changed during scheduled maintenance
times at least once every year. Since service account credentials are often hard-coded into applications,
considerable work can be involved to change passwords. Thus a password lifespan of 180 days is
recommended, but a lifespan of one year is allowed,
15 character minimum
Upper and lower case letters
At least two numbers
At least two special characters
One year password lifespan
Six password history
Passwords cannot be reused for 365 days
8. UNIX, Linux, Macintosh, and VMS User Accounts
In general, password guidelines for UNIX, Linux, Mac, and VMS systems should align with the basic
password guidelines set forth above. Systems supporting additional password strength are encouraged
to take advantage of those capabilities wherever possible.
9. UNIX, Linux, Macintosh, and VMS Root Accounts
Root or superuser accounts, by definition, have privileges to make critical system changes and may have
access to sensitive or confidential data. Thus, passwords will be changed at least every 90 days,
whenever a suspected breach occurs, or when an employee knowing the root password leaves the
organization.
Due to the large variability of system capabilities within this category, exact root password guidelines
may be hard to standardize. However, all root accounts should adhere to the general password
guidelines outlined above at an absolute minimum. Stronger root passwords are highly encouraged.
10. Application Accounts
Application accounts and application database accounts are similar to Windows Service accounts.
However, application account credentials should never be hardcoded. Examples of application accounts
include credentials for system monitoring services, intrusion detection systems, web applications, online
bulletin boards, Wikis, and document repositories. If applications contain sensitive information,
password guidelines for administrative systems should be followed as best possible. Otherwise, the
general password guidelines should be considered the minimum.
MSU Security Operations Team – April 2008
Page 5