On this page:
Policy
Rationale
Implementation
Implications
Glossary
Policy
All MIT Kerberos Accounts will be protected by effective passwords. An effective password is both strong and protected. Strong passwords have at least a specified minimum number of characters, are a combination of alphabetic, numeric and special characters, and are not common dictionary words. Refer to the Guidelines for Choosing a Strong Password for specific details. Account holders and system administrators, acting as account/password custodians, will protect the security of those passwords by managing passwords in a responsible fashion.
Rationale
Account holders are held responsible for all activities associated with their accounts. As such, the strength and protection of the password is critical to ensuring that unauthorized activity does not become associated with a person's account. Each computer user is responsible for his or her use of technology on campus. The integrity and secrecy of an individual's password is a key element of that responsibility.
As time passes from a password update, the probability that a password has been compromised increases. This probability goes up because of the risk of silent compromise of someplace where the password was entered (keystroke logger) or accidental use over an insecure path (for example, VPN's that fail "open" leading you to think you are encrypted when you are not!).
Spammers have used MIT legitimate account passwords to log in to our Webmail system and send large amounts of spam. These incidents result in our authenticated outgoing mail servers being added to numerous black lists, and have a negative effect on the entire community. If you are not careful with your password, the harm you cause can be to the whole community, not just yourself! This also argues for a strong(er) password policy.
Implementation
Account holders should:
- Create a strong password.
- Change the password as frequently as needed to ensure security for the resources computers, data, etc. under their control. As a matter of practice, IS&T suggests changing passwords at least once a year.
- Safeguard their password. For example, individuals should not write down or store the password on paper or on a computer system where others might acquire it.
- Never share their password, even with a best friend, roommate, or relative. We recognize there may be times when people need to have someone do something on their behalf, when work is being delegated, and lack of access to an account might impede business. That said, we want to emphasize that when you give someone your password, they may take actions in your name that you might not be aware of, might not approve of, but may be held responsible for depending on the nature of the activity.
- Never reuse their MIT user name and password for external services, be they related to MIT business or of a personal nature.
- Change their password immediately if they know or suspect that it has been guessed, stolen, intercepted, or otherwise compromised. Contact the Service Desk for further guidance and assistance if this occurs.
System administrators and service provides are expected to:
- Store account passwords such that they cannot be produced on demand under any circumstances.
- Prevent, or take steps to reduce the likelihood of, the exposure of any clear text account passwords that an MIT application, system, or other service has received for purposes of authentication.
- Never request that passwords be sent over the MITnet or Internet in the clear. Of particular importance is that passwords never be sent via email.
Just as security and privacy risks evolve, password standards need to evolve to meet those risks. The IS&T account password standard (see References below) establishes requirements for:
- Password minimum length
- Composition
- Password aging
- Reuse of old passwords
At initial account creation, a password is selected and tested against the then current standards. Passwords do not expire. Certificates do expire annually, see Certificates at MIT for further details. Authorizations may expire at the discretion of a resource/service provider. IS&T may notify account holders of potentially weak -- or out of standard -- passwords based solely on IS&T's records of when a particular password was last changed.
Use of an encrypted password storage application is acceptable, although extreme care must be taken to protect access to that application.
Implications
Ultimately, account security depends on users following the password policy. Therefore, educating account holders about the policy is essential to preventing unauthorized use of accounts.
Hackers and other Internet criminals are constantly evolving new strategies for breaking through security measures, so IS&T must remain informed about current best practices regarding passwords. As best practices change, IS&T will revise this policy and educate the community.
Glossary
Password: A sequence of alphanumeric and special characters entered in order to gain access to a computer system or resource.
System Administrator: A person who is responsible for properly maintaining a server, workstation, or other networked device.
VPN: Virtual Private Network. A technology that in MIT's usage facilitates secure communications from remote locations to a known location at MIT, typically over the public Internet. However, VPNs are not inherently about security or performance, but rather that they provide a "tunnel" on top of some other network in support of a given customer or client community.