Computer Account and Password Policies
Scope
These policies deal with accounts and passwords on the (currently mostly Linux) network of the
Center for Computational Mathematics
and the Department of Mathematical and Statistical Sciences.
These are different from the accounts and passwords administered by
the UCD IT Services for their
Windows domains, official UCD email, and other computer resources.
Background
Computer accounts are the basic security tool to control access to computer
resources and to preserve privacy and integrity of user files. A stolen
user account is typically the first step in a more serious security compromise.
Idle accounts are often stolen without anyone noticing. Users need to be
informed about management of their account passwords.
Creating Accounts
Permanent accounts are created for faculty, students, and other affiliates
of the Department of Mathematical and Statistical Sciences
and the Center for Computational Mathematics
on request. Temporary class accounts are created for all students in a
class that requires access. Extension of student accounts or creation of
a guest account is possible upon request by a permanent faculty member
sponsoring the account.
Password Creation and Change
The initial password is set on math.
Accounts for the beowulf system are created at request.
Accounts on other machines are created by copying the currenting password information from math.
Users should change their initial password by using the passwd command, immediately upon first logging on to the math server.
Password changes automatically are applied to other servers within 24 hours.
Users must pick strong passwords, at least 8 characters long, with a mix of letters,
digits, and special characters.
Communication of Passwords
Passwords are given generally in person only. Presentation of an ID may
be required of people that we do not know personally. Passwords for class
accounts are distributed to students by the instructor. Passwords may be
given by phone if the user is known to us personally and we initiate the
phone call. Passwords may not be sent by email under any circumstances.
Users must not send passwords by email even if it is to inquire about their
own accounts. Users must guard their passwords and may not give them to
anyone or use them as passwords on other machines or web sites.
Disabling Accounts
Accounts may be disabled when necessary as listed below. There is no warning.
Failed login usually does not give an indication if the account was disabled,
if the password was wrong, or if the account does not exist.
-
Temporary student accounts for the purpose of a class are disabled after
the term of the class for which it was created.
- Permanent student accounts
are disabled after the student graduates.
- Employee accounts are disabled after the employee leaves.
- All accounts
may be continued as guest accounts if requested by a permanent faculty
member who sponsors the account.
-
Accounts on a machine where the user has not logged in for more than six
months may be disabled.
-
Accounts on a machine where the user has not changed the initial password
within one month may be disabled.
-
Any account that is reasonably suspected to be compromised, e.g., accessed
by someone else than the user, will be disabled immediately.
- Accounts with
easy to guess passwords may be automatically identified and disabled.
-
All accounts may be disabled in the event of a security incident.
Re-enabling Accounts
Disabled accounts and files in them are kept for one year unless this presents
a disk space problem, and deleted afterwards. Files from deleted accounts
can be recovered from tape backups though recovery may not be possible
after several years. Account that has been disabled and not yet deleted
may be re-enabled by creating a new initial password. All rules about password
creation, change, and communication apply. It is not possible to set password
to its old value or to a value requested by the user.
Account Use and Access
Standard UCD
computer use policies apply.
In particular, computers cannot be used
as mail servers.
Access from anywhere
other than the local network on the 6th floor of the UCD building is available only by ssh to math
first.
Anticipated Changes
A PASSWORD MANAGEMENT SYSTEM HAS BEEN IMPLAMENTED TO ALLOW A SINGLE PASSWORD FOR ALL MACHINES.
PASSWORDS ON ALL MACHINES, OTHER THAN MATH, ARE AUTOMATICALLY CHANGED TO MATCH THE MATH PASSWORDS
ONCE EACH DAY. FOR THIS REASON USERS ARE ASKED TO MAKE ALL PASSWORD CHANGES ON MATH AND
TO KEEP THEIR ACCOUNTS ON MATH ACTIVE.
Center for Computational Mathematics (CCM)
University of Colorado Denver
Campus Box 170, P.O. Box 173364
Denver, Colorado 80217-3364
Phone: (303) 556-8442, FAX: (303) 556-8550
URL: http://ccm.ucdenver.edu
This page last modified Saturday, 07-Nov-2009 10:33:01 MST.
Maintained by CCM Director.