Procedures for Password management

Act number:: UFV 2013/1490
Decision maker:: Head of Division
Processing body:: Security and safety division
Contact:: security@uu.se
Document type:: Procedures
Category:: Infrastructure, Security
Decision date:: 6 November 2013

Original document and attachments

Dnr UFV 2013/1490

Password management

Procedures for Information security

Ratified by the Chief Security Officer 2013-11-06

Latest revision 2021-03-02

Translated 2021-02-26

Table of contents

1 Introduction__________________________________________________________________ 3

2 Responsibilities_______________________________________________________________ 3

2.1 Compliance____________________________________________________________ 3

2.2 Revising the procedures__________________________________________________ 3

3 Definitions___________________________________________________________________ 4

4 Scope________________________________________________________________________ 4

4.1 For users______________________________________________________________ 4

Passwords in general__________________________________________________ 4

Password composition (high quality passwords)____________________________ 4

4.2 For system managers____________________________________________________ 5

IT systems in general__________________________________________________ 5

Password quality______________________________________________________ 5

Password control______________________________________________________ 5

Password protection___________________________________________________ 6

4.3 Password managers_____________________________________________________ 7

4.4 Exceptions_____________________________________________________________ 7

1 Introduction

This document specifies Uppsala University's procedures for the quality and handling of passwords, in accordance with the Swedish Academic Identity Federation’s (SWAMID) assurance profile and password policy[1].

The purpose of the procedures is to support the secure handling of passwords at the university, personal as well as system-managed, in order to protect the university's information in various systems from unauthorized users.

The procedures apply to all IT services and systems at the university and include both password quality and password protection. They are based on on the university's procedures for information security (UFV 2017/93) and the procedures for risk management (UFV 2018/211).

2 Responsibilities

2.1 Compliance

The responsibility for compliance with the procedures lies with, respectively:

Heads of departments/equivalents at their department, division or equivalents.

System owners, object managers or equivalents for compliance with the procedures in their system development and administrative work, as well as in their operational duties. A responsibility for compliance also lies with internal and external parties employed for these purposes. The responsibilities of the employed parties must be defined in an agreement.

The Chief Security Officer for planning, coordination and follow-up of the procedures, as well as compliance monitoring.

Everyone at the University for following the procedures.

2.2 Revising the procedures

The chief security officer is responsible for ensuring that the procedures are continuously revised, and that any underlying support documents are formed and ratified.

3 Definitions

Joint Web Login[2] is a solution for initial sign-on for web services, one login for many web services. This facilitates only supplying a user ID and password once for many different web services, as well as raises the security.

Multi-factor authentication is a method used to confirm a user’s identity with two or more factors in several steps, giving a higher security than solely relying on a password. The factors consist of something owned (card, cell phone), something known (password, PIN code), and something personal (biometry, like fingerprints).

4 Scope

4.1 For users

Passwords in general

All users have a master password (Password A), used to login to the University’s network services and joint services such as Primula, Ladok and the intraweb (Medarbetarportalen).

For services such as Eduroam, each user has an additional password (Password B). In addition to these two passwords, there may be local or system-specific passwords.

As a user, your responsibility is to ensure that

your passwords conform to the procedures in terms of quality and handlings,
your passwords are stored in a secure way and not given to anyone else, neither by email, telephone nor otherwise,
you immediately notify the University's service desk (servicedesk@uu.se, tel.

4440) if you think a password might have been compromised

Password composition (high quality passwords)

In order for a password to be of high quality, it needs to be at least 10 characters – of which at least one must be a capital (uppercase) letter, one a lowercase letter, and at least one special character or a number.

Recommended characters:

capitals (A-Z), lowercase (a-z),
numbers (0-9),
the following special characters: ~ ! @ # $ % ^ & ( ) _ + - * / = { } [ ] | \ : ; ? < > ” as well as
comma, period or space.

Never use proper names, seasons or car brands, neither number combinations on their own (one of the world’s most common passwords is 123456).

Note that a high quality password that isn’t changed is in fact more secure than switching regularly between bad passwords.

Do not use proper names, seasons, car brands or just number combinations (one of the world's most common passwords is 123456).

If you have many different passwords, a password manager (see below) can be helpful.

4.2 For system managers

IT systems in general

All system must be linked to the joint web login, unless there are special reasons. Such reasons must be documented.

The joint web login contains system support for compliance with the procedures.

In case of systems using their own password management, the system owner is responsible for compliance.
Systems not connected to the joint web login must store any passwords using a secure one way encryption (SHA2) format, to ensure that any leaked information cannot be used by a third party.
In regards to outsourcing or cloud services, requirements for secure password management must be included in the procurement procedure and regulated in agreements.
Multi-factor authentication must be used for access to IT systems or services, that according to the information classification contains confidential information. Systems that currently do not support this should be upgraded as soon as it is possible, and deviations from the procedures documentet in the system management plan.

Password quality

A high quality password is long and complex enough to reduce the risk of an intruder being able to guess it. Length and complexity together form the so-called entropy for the password. The higher the entropy of a password, the more difficult and time consuming it is to guess or test. For more information, see NIST SP 800-63[3]

Password control

The university's joint web login provides technical support to ensure a high password quality. At any password change, the passwords are checked to ensure they

are composed according to the requirements above,
inte not found in any catalogs of poor quality passwords (such as number combinations, proper names, seasons, car brands, etc),
are not the same as, nor too similar to, any immediately preceding password.

When the user enters the suggested new password, the quality of the password is displayed according to a color scale;

Red – does not meet the minimum requirement,
Yellow – meets the minimum requirement,
Green – exceeds the minimum requirement.

Passwords cannot be saved until the minimum requirements are met.

Password protection

Secure password management means that the login service protexts passwords from unautorized access and use. In addition to this, each user is responsible for keeping their own passwords secret and secure.

Data storage and password transportation

To reduce the risk of unauthorized access to passwords, the following applies to the storage and transport of passwords:

Passwords must never be communicated via e-mail, telephone or similar.
Electronic storage and transport:
- Passwords must always be stored and transported in encrypted form, even on backup media
- Passwords should never be presented in readble form
Personnel with technical access to computers, server or data media where passwords are stored (so-called privileged permissions) must sign särskilda ansvarsförbindelser.
An up-to-date list of employees with privileged access must be available at the unit that manages the daily system operations, usually the department for En aktuell, uppdaterad lista över medarbetare med priviligierade behörigheter ska finnas vid den organisatoriska enhet som sköter driften av systemet, normalt avdelningen för universitetsgemensam IT

Protection against password guessing attacks

To reduce the risk of automated guessing attacks, the login must be protected by restrictions that prevent someone from making a large number of repeated login attempts (password guesses) in a short time span, so-called rate limiting.

The University joint web login has a designed protection so that only a certain number of attempts can be done in an hours, then the account will be locked out automatically for a specified number of minutes.

Password guessing attacks are classified as either brute force attacks or dictionary attacks.

4.3 Password managers

A password manager is a software or service that allows users to store, generate and manage their passwords for various local applications and online services. It is a tool to ensure a safer password environment.

There are a variety of password manager variants on the market, including free software and apps as well as paid-for software. They all work in slightly different ways.

Which password manager thas is best suited to the task at hand varies depending on the need for protection of the resource protected by the password in question.

Password managers are especially important for user groups with high permissions in many systems, such as IT operations technicians.

For advice and support, contact the security and safety division, security@uu.se.

4.4 Exceptions

There might, in some individual systems, be special reasons not to follow the above procedures for password quality or password protection. If so, exceptions can be approved by the system owner.

Exceptions must be documentet in the system’s management specifications. In addition, special consideration must be given when accessing data retrieved from other systems.

[1] https://wiki.sunet.se/display/SWAMID/SWAMID+Policy, 2021-02-26

[2] https://weblogin.uu.se, 2021-02-26

[3] https://www.nist.gov/itl/tig/projects/special-publication-800-63 , 2018-08-01