Faculty of Health and Medical Sciences

Password policy

 

1.0 Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the Faculty of Medicine, Dentistry, & Health Science' (FMDHS) entire corporate network. As such, all employees (including contractors and vendors with access to FMDHS systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Purpose

Purpose of this document is to establish a standard to create strong passwords, protection of those passwords, and frequency of change.

3.0 Scope

This policy applies to all staff and students who have and are responsible for an account (or any form of access that supports or requires a password) on any system managed by the IT Unit of FMDHS at the University of Western Australia.

4.0 Policy

Passwords must be carefully chosen so they are not easily compromised. They must be at least 8 characters long and consist of at least 3 of the following 4 types;

  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Special characters

Guidance for choosing a good password is available from Faculty IT staff.

  • Only an Authorised Staff member or Faculty IT staff may notify a user of their password in any form.
  • Passwords are not to be shared with anyone except authorised IT Unit staff.
  • IT Unit staff or an Authorised Staff member are not to provide a password to a person other than the owner of the account. 
  • If passwords must be written down they should be kept in a safe place, preferably in a secure locked cabinet or location. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
  • Do not use the "Remember Password" feature of applications (e.g. Outlook, Netscape, Messenger, and Internet Explorer).
  • The login account name and password for that account must not be the same.
  • If an account or password is suspected to have been compromised, report the incident to Faculty’s IT department and change all passwords.
  • Account owners are responsible to change their password regularly or when requested to do so by FMDHS IT personnel.
  • Passwords will need to be changed at regular intervals as determined by the IT Unit or University policy.
  • Faculty IT Unit staff will never request of a user that they confirm their password/s via email. 
  • No user should ever respond to any email request that they confirm their username and or password for any electronic system whether for work or personal use.

5.0 Enforcement

Any employee or student found to have violated this policy may have their access to the FMDHS network restricted or withdrawn.

Guidelines for choosing a password

Password Security

NEVER, under any circumstances, should your password be the same as your username or your real name.

  • Always keep your password a secret.
  • Never tell your password to anyone else. 
  • If you must write your password down, keep it in a safe place.

How to Choose a Password

DON'T USE Words that can be associated with you
We often have a tendency to forget passwords, so we choose something that has particular relevance to ourselves: the name of a loved one, our favourite car, sport, or ice cream, etc.  Anyone knowing a little about us can make a list of these words and easily crack the password. All-digit passwords usually fall into this category - birthdates, phone numbers.

DON’T USE Dictionary, Atlas, etc. words
A computer can test these words in less than an hour.  A program with access to a good dictionary has a very good chance of cracking a password that is a real word.  Crackers may have access to extensive dictionaries of words, place names, foreign languages, song titles, Shakespearean characters, street directories and the like.  This can include minor modifications such as the addition of a digit or an initial uppercase letter.

DO USE
Preferably something you can remember, that can be typed quickly and accurately and includes characters other than lowercase letters. Preferably a combination of uppercase, lowercase, numbers or special characters.

Examples
Made-up "words" - chokBel8,(can be "pronounced", has a digit)
Personal acronyms - ihCbltdT  (i hate Coffee but love to drink Tea)
Misspell and/or invert syllables or words - D0gzmaDD  (instead of 'mad dogs' - also replaces letter o with digit zero)