Title VI, Section 467 – Identification and Authentication Requirements: Password Standards

 

      A.    PURPOSE

 

The following standard is intended to improve current security in regards to passwords and bring the County wide standard in compliance with current requirements for State Network Access (Department of Motor Vehicles, Department of Justice) and industry security standards for Microsoft and Unix-like systems. This standard outlines requirements for password construction and password resets.

 

      B.    POLICY DESCRIPTION

 

For each of their accounts, including LAN, VPN and application level authentication for Microsoft and Unix-like systems, a user will be required to construct a password that meets the following criteria:

·        Contain at least eight characters

·        Not be reused until at least 12 different passwords have been used

·        Be changed at least every 90 days

·        Meet the following standards for complexity:

 

The password must contain characters from at least three of the following four categories:

 

English uppercase characters (A-Z)

 

English lowercase characters (A-Z)

 

Digits (0-9)

 

Non-alphanumeric (for example: !, $, #)

 

The password must not contain three or more characters from the user’s account name.

 

Users are also recommended to apply the following guidelines for password construction:

·        Not containing a word from any dictionary or name

·        Not contain information that is easily guessed (example child’s name, birth date)

 

User accounts will be disabled after 6 unsuccessful attempts to enter the correct password. The appropriate Help Desk personnel or designation departmental agent will only reset passwords after the user has successfully verified their identity.

 

The County of Santa Cruz will use current appropriate system tools to enforce construction of strong passwords whenever possible.