Effective date: 07/01/2021
Last updated: 03/04/2024
Purpose
This Service Requirement describes the University’s requirements for acceptable credential management, password selection and maintenance. Duquesne University is committed to a secure information technology environment in support of our mission. The need for a strong password is greater than ever and credentials issued by Duquesne University are often the first line of attack, and the last line of defense in the protection of personal and institutional assets. Information Technology systems and services at Duquesne University require the use of credentials and passwords including but not limited to email, academic and administrative applications, computer labs, DORI, and endpoint computers.
Never share your credentials, password or other sensitive information and do not respond to emails that request access to your MultiPass ID, password, secret questions, or other personal information. Duquesne University’s Computing and Technology Services (CTS) team will NEVER ask for your MultiPass password or other personally identifiable information.
Service Requirements
All Individuals Password Service Requirements
Applies to all students, employees, affiliates or members of the community to whom credentials have been issued and have responsibilities in the care of those credentials. The following rules are required to be followed to reduce the risk of compromise to your credentials and password.
- Passwords are sensitive and classified as Restricted Data therefore all protections of Restricted Data should be applied to their use.
- Passwords should never be written down, stored on-line without encryption, or stored in plain text files.
- Passwords may not be disclosed or shared with another person, including CTS, or any other Duquesne Employee. If for some reason your password is disclosed to another employee, it should be reset as quickly as possible.
- If a user suspects a password has been disclosed or compromised, the user must change their password immediately and report the incident to CTS via email or at (412) 396-4357 or 1 (888) 355-8226.
- Passwords must be changed at least every 120 days for systems that do not use Multifactor authentication. Passwords must be changed annually for systems that do use Multifactor authentication.
- Passwords should not be inserted into email messages or other forms of electronic communication without the consent of CTS.
- Passwords that could be used to access Restricted Data and sensitive information must be encrypted in transit.
- Automated password guessing may be performed on a periodic or random basis by CTS or its delegates. If a password is guessed during one of these scans, the user will be required to change it.
- MultiPass accounts are locked out after sequential failed password attempts.
- MultiPass accounts are required to enroll in the University’s Multifactor Authentication solution. Accounts will be auto-enrolled into Multifactor authentication if not established during account claim.
Administrators Password Service Requirements
Applies to any employee (faculty or staff) who issues credentials and is responsible for the management of the credentials including provisioning and support of accounts and passwords. These employees have certain responsibilities in the administration of those credentials. The following rules are required to be followed to reduce the risk of compromise of any person’s personal information and/or security credentials.
- All production system-level and shared service account passwords must be part of the CTS Services administered password management system using the centralized password management system.
- All system-level and shared service account passwords (e.g. root, enable, domain admin, application admin accounts, etc.) must be changed on at least a semi-annual basis. All passwords must also be updated when any member of staff, who had access to the password or password management system, leaves the university or changes roles where they no longer will have privileged access to the password management system.
- Privileged accounts must have a unique password from all other accounts and in particular MultiPass passwords.
- All production systems should have a lockout of no more than 4 failed attempts.
- Disable default passwords and if a disable is not possible, change the default password immediately upon installation and configuration of the system or application.
- Passwords should not be stored or transmitted using weak encryption or hashing algorithms. Encryption algorithms such as 3DES or AES and hashing algorithms such as SHA-1 or SHA-256 should be used. DES and MD-4 should not be used.
- The same password should not be used for multiple systems, applications or services. Unique passwords should be used to avoid a chain effect allowing an attacker into multiple systems as the result of a compromise.
- Never ask a user’s password. If needed, delegation of permission is an alternative as well as use of impersonation that ties back to the administrator’s account. If for some reason an administrator requires the user’s password for troubleshooting and/or remediation, the administrator should ensure the user resets their password before closing out the support request.
Password Strength Service Requirements
Length
- Minimum length: 10 characters
- Maximum length: 24 characters
Password Complexity
- Characters limited to: a-z, A-Z, 0-9 and [ ] { } ~ ! @ # $ % & * ( ) - + = : . ? |
- Passwords must contain at least one lowercase letter, one uppercase letter, one number and one special character.
- Password changes must consist of more than 3 different characters than previous passwords.
- Passwords should not contain any of the following information:
- MultiPassID
- Your Name (first, middle or last)
- Your Birth Year (YYYY)
- Any 4 digit sequential part of your Social Security Number
- Your phone number
- Your address
- A known date such as anniversary, etc.
- Phrases including Duquesne, DUQ, or DORI
- Phrases that include the word "password"
Helpful Tips for Passwords
Consider using a passphrase instead of a password. A passphrase is made up of a sequence of words with numeric and/or symbolic characters inserted throughout. Passphrases typically are longer and easier to remember in most cases. For example, the passphrase “Mypasswordis$tr0ng!” 19 characters and is also relatively easy to remember.
Enforcement
The unauthorized or improper use of Duquesne University’s technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to TAP 26 - Computing and Ethics Guidelines.
The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.