![]() ![]() Use industry-standard strong encryption and/or hashing to store the password in applications or systems ![]() Use industry-standard strong encryption and/or hashing to render the password unreadable during transmission on the network ![]() Log successful and unsuccessful logon attemptsĭisplay only generic identifiers or messages until successful login Re-authenticate access after a period of inactivity, excluding service accounts (suggest: 15-30 minutes for operating system 60 minutes or less for interactive applications) 2 Limit re-use of passwords to at least the last five passwordsĭeter password guessing attempts (e.g., lockout access after 10 consecutive failed login attempts for a minimum of 15 minutes or until an administrator enables the account) 2 Uniquely associate interactive sessions with an individual or automated sessions with a system accountĭo not use personal identifying information in passwords or passphrases (e.g., cannot contain user’s first name, last name, username, employee number/student ID, telephone number, SSN)ĭo not use repeating characters in passwords or passphrases (e.g., cannot repeat characters four or more times in a row)įor operating systems: Set a password expiration for temporary/reset passwords (suggest: 1 day)įor non-operating systems: Set a password expiration for temporary/reset passwords (suggest: 1 day)Įxpire passwords used with single-factor authentication at least annually 2 Uniquely associate access with an account or system The following table defines baseline security controls for authenticating access to data, application, operating system, or systems (e.g., workstation, device, server, network infrastructure), including user, organization/department account, system or service account, administrative/privileged account. The controls are grouped by Authentication, Multi/Two-Factor Authentication, Access, and Account Management (including shared, group, system, service, and vendor accounts). To prevent and record unauthorized access to University IT resources, including data, systems, and applications, by using the appropriate level of authentication, authorization, and account lifecycle management controls. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |