Users Responsible for All Activities Involving Personal User-IDs
Users are responsible for all activity performed with their personal user-IDs. User-IDs may not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their user-IDs. Similarly, users are forbidden from performing any activity with IDs belonging to other employees, except workstation specific user-ids. If users need to share computer resident data, they should use electronic mail, public directories on local area network servers, and other mechanisms. This policy does not prevent the use of default passwords--typically used for new user-ID assignment or password reset situations--which are then immediately changed when the user next logs-onto the involved system.
User-id and Password required for computer-connected Network access
Everyone that has legitimate need to access our network may have an account established on all the necessary Salt Lake City Corporation computers. Your account details the resources that you will have access to. The key to this account is a personal user-ID. Associated with this id is a secret password which you construct. Each time you login to the network, you must verify your identity by specifying your personal user-ID and secret password.
No matter how many systems they access, Salt Lake City Corporation Users must have only one computer system user-ID. Unless advance permission from the Security Administrator has been granted, all computer system administrators must consistently observe the user-ID naming standards.
Minimum Password Length
The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least six (6) characters.
Passwords must contain both Alphabetic and Non-Alphabetic Characters
All user-chosen passwords must contain at least two (2) alphabetic and two-(2) non-alphabetic character. Non-alphabetic characters include numbers (0-9) and some punctuation. The use of control characters and other non-printing characters are not allowed because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities.
Difficult-to-Guess Passwords Required
All computer system users must choose passwords that cannot be easily guessed. This means passwords must never be the same as the User-id passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, and slang must not be used.
Suggestions for constructing a difficult-to-guess yet easy-to-remember password are as follows
o string several words together (these passwords are also known as "passphrases"); an example would be "14the$", "24theshow","32getready", "and42go"
o shift a word up, down, left or right one row on the keyboard
o bump characters in a word a certain number of letters up or down the alphabet
o combine punctuation or numbers with a regular word
o create acronyms from words in a song, a poem, or another known sequence of words
o combine a number of personal facts like birth dates and favorite colors
o combine upper and lower case letters.
All users must change their passwords at least once every fifty-six (56) days. Failure to do so will result in the disabling of the user's account. To enable the account, the user must notify the Help Desk X7272 with proof of identity.
Writing Passwords Down and Leaving Where Others Could Discover
Passwords must not be written down and left in a place where unauthorized persons might discover them.
User-Chosen Passwords Must Not Be Reused
Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed for the last ten(10) instances of changing passwords.
Suspected Disclosure Requires Password Changes
Aside from initial password assignment and password reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user, the password must be immediately changed.
Unused accounts will be deleted
All user accounts that have not been used for one hundred eighty (180) days will be disabled from computer security files. To reestablish the account, the users must notify the Security Administrator and repeat the processes required of a new user.
Limit on Consecutive Unsuccessful Attempts to Enter a Password
To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After five (5) unsuccessful attempts to enter a password, the involved user-ID will be suspended until reset by the Help Desk X7272.
Assignment of Expired Passwords
Wherever system software permits, the initial passwords issued to a new user by a network administrator must be valid only for the involved user's first on-line session. At that time, the user must be forced to choose another password before any other work can be done.
Display and Printing of Passwords
Wherever system software permits, the display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.
Storage of Passwords in Readable Form
Passwords must not be stored in readable form in batch files, automatic log-in scripts, software macros, web pages, in computers without access control, or in other locations where unauthorized persons might discover them.
Prevention of Password Retrieval
Computer and communication systems must be designed, tested, and controlled so as to prevent the retrieval of stored passwords--whether they appear in encrypted or unencrypted form.
Reliance on Operating System User Authentication Process
Salt Lake City Corporation application systems developers must consistently rely on the password access controls provided by an operating system or an access control package that enhances the operating system. Developers must not construct separate mechanisms to collect passwords or user-IDs, nor must they rely on other mechanisms to identify or authenticate the identity of users.
Changing Vendor Default passwords
All vendor-supplied default passwords must be changed before any computer or communications system is used for Salt Lake City Corporation business.
The following procedure can be followed to change your password(s) on Salt Lake City Corporation computers:
1. From the desktop, use “control,alt,delete keys” and select change your password.
2. Call the Help Desk (X7272).