1. News-Press & Gazette Company
  2. General
  3. Policies

Password Standards

Avatar
John Andrews
Follow

1.0 Overview

To change your company account password, please visit: https://go.npgco.com/password

NPG IT establishes the position that poor password management or construction imposes risks to the security of systems and resources. Standards for construction and management of passwords greatly reduce these risks.

 

2.0 Objective / Purpose

This document describes the acceptable standards for password construction and management.

 

3.0 Scope

The requirements in this standard apply to passwords for any computing account on any NPG resource, to the users of any such accounts, and to network, server, engineering, and developer personnel who manage or design systems that require passwords for authentication.

 

4.0 Password Standard

4.1 Password Construction

4.1.1 Minimum Password Length

Passwords shall have a minimum of eight (8) characters; if a particular system will not support eight-character passwords, then the maximum number of characters allowed by that system shall be used.  The exception will be recorded by IT.

4.1.2 Password Composition

Passwords shall not consist of well known or publicly posted identification information. Examples of identifying information include but are not limited to station call letters, first name, last name, or publication names.

4.1.3 Password Scoring

Passwords will be scored using the ZXCVBN algorithm.  This scoring technique analyzes a password against known dictionary words, repetition, personal profile information, and character substitution and assigns a score between 1 and 5.  The lower the score, the more vulnerable a password is to be discovered.  NPG will not allow password scores less than 3.  This ensures a password is sufficiently complex enough that other security alarms will trip before an account is compromised.

 

4.2 Password Management

4.2.1 Password Storage

Passwords shall be memorized and never written down or recorded along with corresponding account information or usernames.

Use of an encrypted password storage application is acceptable, although extreme care must be taken to protect access to said application.  NPG recommends the following password management applications: LastPass

4.2.2 Password Aging and Expiration

User Account passwords will expire after 1 year and must be reset.  Users will be notified weekly starting 2 weeks before an account is set to expire.  If the user fails to reset their password after expiration, the account will be disabled, until they reset their password.

Exceptions to password expirations:

  1. Users who fall under PCI compliance scope.  User accounts will be flagged as being in scope for PCI compliance.  These accounts will be required to change their password every 90 days regardless of score
  2. Users whose passwords score a perfect 5, will be exempt from resetting their password every 1 year.  

4.2.3 Changing Password after Compromise or Disclosure

IT Personnel shall, in a timely manner, reset passwords for user accounts or require users to reset their own passwords in situations where continued use of a password creates risk of unauthorized access to the computing account or resource. Examples of these situations include but are not limited to: disclosure of a password to an unauthorized person; discovery of a password by unauthorized person; system compromise (unauthorized access to a system or account); insecure transmission of a password; replacing the user of an account with another individual requiring access to the same account; password is provided to IT support staff in order to resolve a technical issue; account password is communicated to a user by the system administrator.

4.2.4 Password Sharing and Transfer

Passwords shall not be transferred or shared with others unless the user obtains appropriate authorization to do so.

When it is necessary to disseminate passwords in writing, reasonable measures shall be taken to protect the password from unauthorized access. For example, after memorizing the password, one must destroy the written record.

When communicating a password to an authorized individual orally, take measures to ensure that the password is not overheard by unauthorized individuals.

NPG IT authorizes the use of password sharing applications to minimize the need for transmission of password information. NPG IT authorizes the following applications: LastPass

4.2.5 Electronic Transmission

Passwords shall not be transferred electronically over the Internet using insecure methods. Wherever possible, secure protocols including SSH, FTPS, HTTPS, etc. shall be used.

4.3 Requirements for IT Personnel

4.3.1 Require Passwords for Login

Systems shall not be configured to allow user login without a password. Exceptions shall be granted for specialized devices such as public access kiosks when these devices are configured with public user accounts that have extremely restricted permissions (e.g. web only) that are separate from administrative accounts.

4.3.2 Protect Against Password Hacking

System hardening measures will be enforced during installation to deter password cracking by using reasonable methods to mitigate “brute force” password attacks. For example, some systems will lock an account for a few minutes after several failed login attempts, or detect where the attack is coming from and block further attempts from that location, or at minimum alert in real-time that an attack is underway so that manual action can be taken.

4.3.3 Logging

Practicable measures shall be put in place to log successful and failed login attempts.

 

4.3.4 Default Passwords 

IT Personnel shall not use default passwords for administrative accounts.

 

5.0 Enforcement and Implementation

5.1 Consequences and Sanctions

Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other policies, including progressive discipline up to and including termination of employment.

Any device that does not meet the minimum security requirements outlined in this standard may be removed from the NPG network, disabled, etc. as appropriate until the device can comply with this standard.

 

6.0 Exceptions

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the security officer infosec@npgco.com

Comments

0 comments

Article is closed for comments.