Account passwords are the foundation of the security of NASA Headquarters
computer systems and the information they process. Users of NASA
information technology (IT) resources expect information to be available
when it is needed, to be accurate, and to be safeguarded from
access by unauthorized personnel. Meeting these expectations
depends on the active cooperation of users, managers, support
contractors, and computer security officials in implementing effective
This policy applies to all computer systems that are configured
for multi-user accounts or have at least one network address that
allows remote access (under any protocol), including but not limited
to personal computers such as Macintosh, IBM PC, and IBM clones;
workstation systems such as SUN, SGI, and DEC; and mid-size and
mainframe computers such as the VAX and Amdahl. This policy establishes
the required elements for effective password management that NASA
HQ managers are expected to implement to safeguard their computing
assets and sensitive information.
3.1 Passwords will be used on all information technology resources
within the scope of this document to protect systems and
system-level accounts, individual accounts, and sensitive information
processed or stored by the systems.
3.2 Passwords will be unique to individuals and will not
be shared with, used by, or disclosed to others. Generic or group
passwords will not be used.
3.3 Passwords will not be embedded in automated programs,
utilities, or applications, such as: autoexec.bat files, batch
job files, terminal hot keys.
3.4 Passwords will not be visible on a screen, hardcopy,
or any other output device.
3.5 Passwords will be changed at least every 90 days.
More frequent change intervals may be established for selected
systems, applications, or accounts at the discretion of the Account/Application
Owner. Previously used passwords will not be reused, nor will
passwords be the same as the account user ID or log-in name.
3.6 Password accounts not used for a 120 day period will
be deleted. If a user will be away for an extended period of
time (e.g., leave of absence), the user can request that the Account/Application
Administrator disable the user's account for the period of absence
rather than allow the account to be deleted. If the user's account
is deleted, a new NHQ Form 224 will have to be completed to establish
3.7 Vendor or service passwords will be removed from computer
systems prior to deployment.
3.8 Account passwords will be changed promptly upon departure
of personnel (mandatory or voluntary), or suspected compromise
of the password.
3.9 When allowed by system software, password policies
will be implemented and enforced automatically by system software.
3.10 All user and system passwords should meet the following characteristics:
Be at least six to eight characters in length.
Consist of a mix of alpha characters, numeric characters, or special characters.
Dictionary words, simple keyboard patterns, or character strings
(e.g., abc or 123) shall not be used.
3.11 Supervisor passwords and passwords for similar privileged
accounts used on NASA HQ local network servers shall be known
by the Server Operations Manager and no more than one designated
Alternate Supervisor Account Manager. These passwords shall be
changed every sixty days or upon their use. The management control
of these passwords shall be accomplished by the Server Operations
Manager and approved by the NASA HQ ITS Manager.
3.12 Supervisor Equivalent and similar account privileges
granted by the Server Operations Manager for the management of
NASA HQ local networks shall be granted to the minimum number
of personnel. The management control of these passwords shall
be accomplished by the Server Operations Manager and approved
by the NASA HQ ITS Manager.
If these password requirements cannot be accommodated by the operating
system, application software, or special operational circumstances
exist, a waiver is required. Waiver requests may be in memorandum
format and will be submitted by the user through the System Administrator
to the HQ ITS Manager for approval.
5.1 HQ ITS Manager. The HQ ITS Manager shall:
Provide management oversight of the process for administering passwords for NASA HQ computer systems.
Publish and maintain policy guidelines for the creation, safeguarding,
and control of the passwords.
5.2 System/Application Administrator. Administrators
shall issue and manage passwords for systems and applications
under their control in accordance with NASA HQ policy.
5.3 Users. Users shall:
Understand their responsibilities for safeguarding passwords.
Use Federal information resources in accordance with Federal statutes and NASA policy.
Understand the consequences of their failure to adhere to statutes
and policy governing information resources.
1. Purpose 1
2. Scope 1
3. Policy 1
4. Waivers 3
5. Responsibilities 3
|Paula Laidlaw, NASA Service Center||6 Oct 95||Embed password in a batch file run to place read only Work Control reports on the FTP Server.|