This document outlines the complexity requirements and proper management practices of passwords for all technology systems at the Wayzata Public Schools.
It is expected that all members of the Wayzata Public Schools community abide by these standards.
- Minimum password length: 16
- Password expiration: 365 Days from reset date
- Password history: 5 - When you change your password, you can’t use 5 previous.
- No spaces
- Easy to remember passphrase - i.e. Iwishiwasavikingfan16!
- Not easy for a human to guess - i.e. 000000000000000 or Password12345678
- Account lockout threshold: 5 failed attempts
- Account lockout duration: 30 minutes
Breach of a password
- A password is classified as Restricted, so a password breach is subject to the WPS-IT Information Security Breach Response Procedure
- If a breach of password is discovered, a Security Incident Report Form needs to be completed.
Note: When a compromised account is discovered, users password will be changed and access to all systems will not be allowed until user calls tech office and receives a temporary password.
Best Practices for users
Choosing good passwords
A good password has the following properties:
- It's long enough to resist automated guessing (the longer, the better - min 16).
- It's easy to remember.
- No spaces!
In order to satisfy these requirements, it helps to think of passwords as passphrases instead. For example, if you like the Vikings, but people generally don't know you to be a fan, a good passphrase might be: IWishIwasaVikingFan16!
NOTE: that while the use of dictionary words in a password is discouraged, the use of dictionary words in passphrases that are longer than 14 characters, where the passphrase meets complexity requirements, should be OK.
Microsoft provides some good suggestions on how to create strong passwords.
Unless the account is a generic, shared account, a password never should be shared. Shared/Generic accounts should be used only when absolutely necessary to solve a business or educational need. There are usually methods to solve a business or educational need without the use of an account with a shared password.
Users with access/responsibility for other accounts, such as generic or privileged accounts, must use a unique password for each account.
A password should never be revealed to anyone, by any means.
Managing/remembering multiple passwords
Writing down your password is OK, as long as you make sure that:
- You don't write down anything that attributes the password to the userid or purpose of the account.
- You keep the password secure. (e.g., either in your wallet or under lock and key)
- You make an effort to remember the password so that you can destroy the paper copy.
Some people store passwords in a file on their computer. If you do this, you must ensure the file is encrypted, and that the encryption key is well protected.
Browser caching of passwords
All modern web browsers provide a facility to remember passwords to access-controlled web sites. Since there are methods of exploiting the browser cache of passwords, it is strongly recommended that the browser feature to remember passwords be disabled, especially on mobile devices.