NASA Headquarters

Computer System Password Policy

Information Systems & Technologies Office

August 10, 1995

1. PURPOSE

Account passwords are the foundation of the security of NASA Headquarters computer systems and the information they process. Users of NASA information technology (IT) resources expect information to be available when it is needed, to be accurate, and to be safeguarded from access by unauthorized personnel. Meeting these expectations depends on the active cooperation of users, managers, support contractors, and computer security officials in implementing effective password policies.

2. SCOPE

This policy applies to all computer systems that are configured for multi-user accounts or have at least one network address that allows remote access (under any protocol), including but not limited to personal computers such as Macintosh, IBM PC, and IBM clones; workstation systems such as SUN, SGI, and DEC; and mid-size and mainframe computers such as the VAX and Amdahl. This policy establishes the required elements for effective password management that NASA HQ managers are expected to implement to safeguard their computing assets and sensitive information.

3. POLICY

3.1 Passwords will be used on all information technology resources within the scope of this document to protect systems and system-level accounts, individual accounts, and sensitive information processed or stored by the systems.

3.2 Passwords will be unique to individuals and will not be shared with, used by, or disclosed to others. Generic or group passwords will not be used.

3.3 Passwords will not be embedded in automated programs, utilities, or applications, such as: autoexec.bat files, batch job files, terminal hot keys.

3.4 Passwords will not be visible on a screen, hardcopy, or any other output device.

3.5 Passwords will be changed at least every 90 days. More frequent change intervals may be established for selected systems, applications, or accounts at the discretion of the Account/Application Owner. Previously used passwords will not be reused, nor will passwords be the same as the account user ID or log-in name.

3.6 Password accounts not used for a 120 day period will be deleted. If a user will be away for an extended period of time (e.g., leave of absence), the user can request that the Account/Application Administrator disable the user's account for the period of absence rather than allow the account to be deleted. If the user's account is deleted, a new NHQ Form 224 will have to be completed to establish the account.

3.7 Vendor or service passwords will be removed from computer systems prior to deployment.

3.8 Account passwords will be changed promptly upon departure of personnel (mandatory or voluntary), or suspected compromise of the password.

3.9 When allowed by system software, password policies will be implemented and enforced automatically by system software.

3.10 All user and system passwords should meet the following characteristics:

Be at least six to eight characters in length.

Consist of a mix of alpha characters, numeric characters, or special characters.

Dictionary words, simple keyboard patterns, or character strings (e.g., abc or 123) shall not be used.

3.11 Supervisor passwords and passwords for similar privileged accounts used on NASA HQ local network servers shall be known by the Server Operations Manager and no more than one designated Alternate Supervisor Account Manager. These passwords shall be changed every sixty days or upon their use. The management control of these passwords shall be accomplished by the Server Operations Manager and approved by the NASA HQ ITS Manager.

3.12 Supervisor Equivalent and similar account privileges granted by the Server Operations Manager for the management of NASA HQ local networks shall be granted to the minimum number of personnel. The management control of these passwords shall be accomplished by the Server Operations Manager and approved by the NASA HQ ITS Manager.

4. WAIVERS

If these password requirements cannot be accommodated by the operating system, application software, or special operational circumstances exist, a waiver is required. Waiver requests may be in memorandum format and will be submitted by the user through the System Administrator to the HQ ITS Manager for approval.

5. RESPONSIBILITIES

5.1 HQ ITS Manager. The HQ ITS Manager shall:

Provide management oversight of the process for administering passwords for NASA HQ computer systems.

Publish and maintain policy guidelines for the creation, safeguarding, and control of the passwords.

5.2 System/Application Administrator. Administrators shall issue and manage passwords for systems and applications under their control in accordance with NASA HQ policy.

5.3 Users. Users shall:

Understand their responsibilities for safeguarding passwords.

Use Federal information resources in accordance with Federal statutes and NASA policy.

Understand the consequences of their failure to adhere to statutes and policy governing information resources.







Contents

Page

1. Purpose 1

2. Scope 1

3. Policy 1

4. Waivers 3

5. Responsibilities 3

Exceptions to Policy

Submitted By:
Date
Exception

Summary
Approved By:
Date
Paula Laidlaw, NASA Service Center6 Oct 95 Embed password in a batch file run to place read only Work Control reports on the FTP Server.
Linda Perez13 Oct 95