A. Users Responsible For All Activities Involving Personal User IDs: Users are responsible for all activity performed with their personal user IDs. User IDs may not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their user IDs. Similarly, users are forbidden from performing any activity with IDs belonging to other employees, except workstation specific user IDs. If users need to share computer resident data, they should use electronic mail, public directories on local area network servers and other mechanisms. This chapter does not prevent the use of default passwords, typically used for new user ID assignment or password reset situations, which are then immediately changed when the user next logs onto the involved system.
B. User ID And Password Required For Computer Connected Network Access: Everyone that has legitimate need to access our network may have an account established on all the necessary Salt Lake City Corporation computers. Your account details the resources that you will have access to. The key to this account is a personal user ID. Associated with this ID is a secret password which you construct. Each time you login to the network, you must verify your identity by specifying your personal user ID and secret password.
C. User ID Construction: No matter how many systems they access, Salt Lake City Corporation users must have only one computer system user ID. Unless advance permission from the Security Administrator has been granted, all computer system administrators must consistently observe the user ID naming standards.
D. Minimum Password Length: The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least six (6) characters.
E. Passwords Must Contain Both Alphabetic And Nonalphabetic Characters: All user chosen passwords must contain at least two (2) alphabetic and two (2) nonalphabetic characters. Nonalphabetic characters include numbers (0-9) and some punctuation. The use of control characters and other nonprinting characters are not allowed because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities.
F. Difficult To Guess Passwords Required:
1. All computer system users must choose passwords that cannot be easily guessed. This means passwords must never be the same as the user ID passwords, must not be a word found in the dictionary or some other part of speech. For example, proper names, places and slang must not be used.
2. Suggestions for constructing a difficult to guess yet easy to remember password are as follows:
a. String several words together (these passwords are also known as "passphrases"); an example would be "14the$", "24theshow", "32getready" and "42go";
b. Shift a word up, down, left or right one row on the keyboard;
c. Bump characters in a word a certain number of letters up or down the alphabet;
d. Combine punctuation or numbers with a regular word;
e. Create acronyms from words in a song, a poem or another known sequence of words;
f. Combine a number of personal facts, like birth dates and favorite colors;
g. Combine upper and lower case letters.
G. Periodic Password Changes: All users must change their passwords at least once every fifty six (56) days. Failure to do so will result in the disabling of the user's account. To enable the account, the user must notify the Help Desk (X7272) with proof of identity.
H. Writing Passwords Down And Leaving Where Others Could Discover: Passwords must not be written down and left in a place where unauthorized persons might discover them.
I. User Chosen Passwords Must Not Be Reused: Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed for the last ten (10) instances of changing passwords.
J. Suspected Disclosure Requires Password Changes: Aside from initial password assignment and password reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user, the password must be immediately changed.
K. Unused Accounts Will Be Deleted: All user accounts that have not been used for one hundred eighty (180) days will be disabled from computer security files. To reestablish the account, the users must notify the Security Administrator and repeat the processes required of a new user.
L. Limit On Consecutive Unsuccessful Attempts To Enter Password: To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After five (5) unsuccessful attempts to enter a password, the involved user ID will be suspended until reset by the Help Desk (X7272).
M. Assignment Of Expired Passwords: Wherever system software permits, the initial passwords issued to a new user by a network administrator must be valid only for the involved user's first online session. At that time, the user must be forced to choose another password before any other work can be done.
N. Display And Printing Of Passwords: Wherever system software permits, the display and printing of passwords must be masked, suppressed or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.
O. Storage Of Passwords In Readable Form: Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, web pages, in computers without access control, or in other locations where unauthorized persons might discover them.
P. Prevention Of Password Retrieval: Computer and communication systems must be designed, tested and controlled so as to prevent the retrieval of stored passwords, whether they appear in encrypted or unencrypted form.
Q. Reliance On Operating System User Authentication Process: Salt Lake City Corporation application systems developers must consistently rely on the password access controls provided by an operating system or an access control package that enhances the operating system. Developers must not construct separate mechanisms to collect passwords or user IDs, nor must they rely on other mechanisms to identify or authenticate the identity of users.
R. Changing Vendor Default Passwords: All vendor supplied default passwords must be changed before any computer or communications system is used for Salt Lake City Corporation business.
S. Password Change Procedure: The following procedure can be followed to change your password(s) on Salt Lake City Corporation computers:
1. From the desktop, use "control, alt, delete keys" and select change your password.
2. Call the Help Desk (X7272). (2019 Compilation)