|
|
| Introduction |
User authentication is a means to control who has access
to an Information Resource system. Controlling the access is
necessary for any Information Resource. Access gained by a non-authorized
entity can cause loss of information confidentiality, integrity
and availability that may result in loss of revenue, liability,
loss of trust, or embarrassment to The City Of El Paso.
Three factors, or a combination of these factors, can be used
to authenticate a user. Examples are:
- Something you know – password, Personal Identification
Number (PIN)
- Something you have – Smartcard
- Something you are – fingerprint, iris scan, voice
- A combination of factors – Smartcard and a PIN
|
| Purpose |
The purpose of The City Of El Paso Password Policy is to establish
the rules for the creation, distribution, safeguarding, termination,
and reclamation of the City Of El Paso user authentication mechanisms. |
| Audience |
The City Of El Paso Password Policy applies equally to all individuals
who use any City Of El Paso information resource. |
Password
Policy
|
- All passwords, including initial passwords, will be constructed
and implemented according to the following The City Of El
Paso IT rules:
- It will be routinely changed
- It will adhere to a minimum length as established by
The City Of El Paso IS
- It will be a combination of alpha and numeric characters
- It will not be anything that can easily tied back to
the account owner such as: user name, social security
number, nickname, relative’s names, birth date,
etc.v
- It will not be dictionary words or acronyms
- Password history will be kept to prevent the reuse of
a password·
- No passwords will be Stored passwords .
- User account passwords will not be divulged to anyone. The
City Of El Paso IS and IS contractors will not ask for user
account passwords.
- Security tokens (i.e. Smartcard) will be returned on demand
or upon termination of the relationship with The City Of El
Paso.
- If the security of a password is in doubt, the password
will be changed immediately.
- Administrators will not circumvent the Password Policy for
the sake of ease of use.
- Users cannot circumvent password entry with auto logon,
application remembering, embedded scripts or hardcoded passwords
in client software. Exceptions may be made for specific applications
(like automated backup) with the approval of The City Of El
Paso ISO. In order for an exception to be approved there will
be a procedure to change the passwords.
- Computing devices will not be left unattended without enabling
a password-protected screensaver or logging off of the device.
- IS Helpdesk password change procedures will include the
following:
- Authenticate the user to the helpdesk before changing
password
- Change to a strong password
- The user will change password at first login
- In the event passwords are found or discovered, the following
steps will be taken:
- Take control of the passwords and protect them
- Report the discovery to The City Of El Paso Help Desk
- Transfer the passwords to an authorized person as directed
by The City Of El Paso ISO
|
| Creat a strong password |
- Combine short, unrelated words with numbers or special characters.For
example: eAt42peN
- Make the password difficult to guess but easy to remember
- Substitute numbers or special characters for letters. (But
do not just substitute) For example:
- livefish - is a bad password
- L1veF1sh - is better and satisfies the rules, but setting
a pattern of 1st letter capitalized, and i's substituted
by 1's can be guessed
- l!v3f1Sh - is far better, the capitalization and substitution
of characters is not predictable
|
|
 |
print-version