Passwords

1.0 Scope

The procedure applies to all individuals who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any Northland Pioneer College (NPC) facility, has access to the NPC network, or stores any non-public NPC information.

2.0 Purpose

This procedure defines standards for creation of strong passwords, their protection, and required frequency of change.

3.0 Definitions

3.1 Microsoft Azure Active Directory - A cloud-based identity and access management service that enables employees to securely access external and internal resources.

3.2 Enterprise Resource Planning system - Higher education Enterprise Resource Planning (ERP) systems manage and automate workflows at colleges and universities. ERPs standardize and streamline the flow of information between all business functions and departments within an institution. This is made possible by the ERP combining the functionality of multiple systems such as a student information systems (SIS), school administration software, human resources, and financial management.

3.3 Multi-Factor Authentication (MFA) - An authentication method that requires the user to provide two or more verification factors, such as (1) a password and (2) approval from a mobile device, to gain access to a resource.

3.4 Virtual Private Network (VPN) - A mechanism used to create a secure connection between a computer or device located on the public internet and the NPC internal network.

3.5 Local Administrator Password Solution (LAPS) -  A password manager integrated into Active Directory that allows the management and rotation of passwords for local administrative accounts across all Windows devices.

4.0 Procedure

All NPC users including students, employees, and contractors (including contractors and vendors with access to NPC systems) are responsible for taking the appropriate steps, as outlined below to select and secure their passwords. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password could result in the compromise of NPC's entire computer network.

4.1 Standards for Creating Strong Passwords
All user-level and system-level passwords must conform to NPC's Guidelines for Construction of Strong Passwords, described below.

4.2 Guidelines for Construction of Strong Passwords
Passwords are used for various purposes at NPC. Some of the more common uses include: Active Directory accounts, web accounts, email accounts and ERP logins. Since it is very easy to guess or crack certain types of passwords, everyone should be aware of how to select strong passwords.
Users must construct strong password characteristics for Active Directory:
a) Must be at least 25-character alphanumeric character in length
b) Use of special characters and the mix of upper-case letters and numbers is not required but strongly encouraged to enhance the strength of the password’s integrity.
c) For Active Directory, Password History is set to 5, Minimum Password Age is set to 24 hours, and the lockout policy is after 5 failed logins in 30 minutes, the account is locked for 30 minutes
Accounts with elevated privileges do not automatically unlock.
Users must construct strong password characteristics for ERP:
a) Must be at least eight alphanumeric character length
b) Use of special characters and the mix of upper-case letters and numbers is not required but strongly encouraged to enhance the strength of the passwords integrity.
Users must construct strong password characteristics for Gmail:
a) Must be at least eight alphanumeric character length
b) Use of special characters and the mix of upper-case letters and numbers is not required but strongly encouraged to enhance the strength of the passwords integrity.
Multi-Factor Authentication for VPN Access and Remote Server Logins:
a)    Users who have VPN access are required to use Multi-Factor Authentication when logging into VPN.
b)    Computers that have Jenzabar client software installed on them are required to use Multi-Factor Authentication when logging into the computer.

4.3 Standards for Password Protection
All passwords are to be treated as sensitive, confidential -college information. Certain passwords must be changed on a regular basis (see Standards for Frequency of Changing Passwords).
Passwords MUST remain confidential. Users must NEVER:
a) reveal a password in an email message, instant message, or other forms of electronic communication
b) share a password:
1.    over the phone
2.    on questionnaires or security forms
3.    with other employees or students, supervisors, administrative assistants, student workers, friends, or family members
4.    talk about a password in front of others including to hint at the format of a password (e.g., “my family name”)
c) write down passwords and store them anywhere in your office or room
d) store passwords in a file on any computer system without encryption
e) Use the same password for college accounts as for non-College access (e.g., personal e-mail account, electronic banking, social media accounts, benefits, etc.)
Here are some best practices for creating secure passwords
a) Do not use a word found in a dictionary (English or foreign)
b) Do not use a common usage word (Password, 123456789, Qwerty, etc)
c) Do not use information found on social media such as children or pets names
d) A suggested way to create a password is to devise a mnemonic on a song, book title, or other phrase. 
e) Make complex passwords that include uppercase, lowercase, numbers and special characters.  Northland Pioneer College would become N0rth1&nd Pi0n33r C0113g3.
No College student or employee should ever make a request to another member of the community for their password. If someone demands a password for a college computer or account, please refer them to this procedure, or have them contact NPC’s Support Center.
If an account or password is suspected to have been compromised, report the incident by contacting the Support Center and then change ALL of your passwords as soon as possible.

4.4 Standards for Frequency of Changing Passwords
a) Following National Institute of Standards and Technology (NIST) recommendations, users are not required to change their passwords.
b) Special incidents (security breach, data compromise, etc.) may require users to change passwords in accordance with instructions from TAS employees.

4.5 Password Resets
Password requests will be reset by phone or in person by contacting the Support Center. When requesting a password reset, individuals will be asked a set of security questions to verify the identity of the person requesting the action.
New accounts will have a password set by an automated Human Resources process. The user will be required to change this password upon their first login to the associated system.

4.6 Additional Protections
a) Local Administrator logins are controlled by LAPS and changed every 30 days.
b) TAS Network and Systems Teams passwords are securely stored in an encrypted password manager.