CSAR Password Policy

Passwords are the entry point to the CSAR resources. Creating strong passwords and protecting access to CSAR resources is pivotal in ensuring that the CSAR service remains secure. As such, all CSAR personnel and users who have to access the service are responsible for taking appropriate steps to create and protect their passwords.

Requirements

Weak and non-compliant passwords are a major vulnerability in any computer system and are the most commonly exploited security feature. To protect the CSAR service a strong password must be used. The following guidelines should be adhered to.

Password Rules and Format

• The minimum length of password will be eight (8) characters
• Passwords will contain a mix of uppercase, lowercase and alphanumeric characters (a-z, A-Z, 0-9).
• Dictionary words and passwords based on dictionary words will be rejected.
• New passwords cannot be the same or similar to old passwords.
• Passwords should be different on CSAR machine to that of non CSAR systems.

Password Expiry and Account Lockouts

Passwords will need to be changed regularly on all CSAR systems. They will be setup with the following characteristics:

• Maximum Password Lifetime: 91 Days
• Warnings prior to expiry: 14 days

Password history will be implemented where possible.

Expired passwords will need to be updated within 60 days of the expiry date. Failure to revalidate an expired password within 60 days will automatically render the account ‘locked out’. Locked out accounts will need authorisation by the PI before revalidation can take place.

Contact the CSAR Help Desk for help with any of the above access problems.

Password Protection

• Do not use the same password for CSAR accounts as you use for other systems.
• Do not share your CSAR password with anyone.
• Do not reveal your password in an email to somebody.
• Do not discuss your password in front of others.
• Do not reveal passwords to co-workers while on holiday.
• Do not use the ‘Remember Password’ feature of Applications.
• Do not write passwords down and store them anywhere in your office unless absolutely necessary. Precautions should be taken to protect passwords that are written down, i.e., they must be stored in a locked safe, file cabinet or desk.
• Do not store or transfer passwords in any file on any computer system without prior encryption.
• If an account or password is suspected of being compromised, report it to the CSAR Help Desk immediately and change your passwords.

Password Protection

Periodically, passwords may be randomly tested by CSC security or administration staff using password cracking/guessing tools. If a password is guessed or cracked during the scan, the user will be required to change it immediately, and the PI will be notified. If the user fails to change the password within two (2) working days, the account will be locked and not unlocked without a request to do so by the PI.