not mobile

Information Technology Handbook

5.12 Password Security

Print friendly Version date May 16, 2014

5.12.1 User Access Controls

USG institutions, the USO, the GPLS, and the Georgia Archives must establish policies and procedures that ensure necessary user access controls are in place for controlling the actions, functions, applications, and operations of legitimate users. The aim is to protect the confidentiality, integrity, and availability of all USG information resources.

The guiding principles in developing these standards and procedures are:

  1. Users will have access to the resources needed to accomplish their duties.
  2. User access applies the principles of least privilege and resource categorization as necessary tools to achieve the desired purpose.
  3. User access controls will balance security and USG mission needs.

All users, whether internal, external, or temporary, and their activity on all IT systems should be uniquely identifiable. User identification should be enabled through appropriate authentication mechanisms. User access rights to all systems and data must be in line with defined and documented business needs, and job requirements must be attached to user identification. User access rights should be requested by user management, approved by system owners, and implemented by the appropriate local security administrator. User identification and access rights should be maintained in a central repository. Each USG participant organization should deploy cost-effective technical and procedural measures to establish user identification, implement authentication, and enforce access rights. These measures should be reviewed periodically and kept current.


5.12.2 USG Password Authentication Standard

5.12.2.1 Purpose

Passwords are an important aspect of information and information technology security. They are often the only means for authenticating users and the front line of protection for user accounts. Failure to use a strong password or using a poorly chosen password when accessing USG information assets may result in the compromise of those assets. It is the responsibility of every USG participant organization to implement authentication mechanisms such as passwords to access sensitive data, and the responsibility of the user to appropriately select and protect their passwords.

5.12.2.2 Scope

This security standard applies to all USG institutions, the USO, the GPLS, and the Georgia Archives. This standard also applies to all users (employees, contractors, vendors, and other parties) of USG and state information technology systems or data are expected to understand and abide by the standard.

5.12.2.3 Standard

Passwords shall be the minimum acceptable mechanism for authenticating users and controlling access to the USG and its participant organizations’ information systems, services and applications unless specifically designated as a public access resource.

All users (students, employees, contractors, and vendors) with access to USG information and information systems shall take the appropriate steps to select and secure their passwords.

5.12.2.4 Enforcement

Individual USG participant organizations are responsible for developing internal procedures to facilitate compliance with these USG security policies and standards. The standards are designed to comply with applicable laws and regulations. However, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving sensitive state, federal, sensitive or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

The standards will guide periodic security reviews, as well as audits by USG Internal Audit & Compliance and the state Department of Audits and Accounts (DOAA).

5.12.2.5 Authority

5.12.2.6 Related Enterprise Policies, Standards, Guidelines


5.12.3 USG Password Security and Composition Standard

5.12.3.1 Purpose

This section establishes a standard for protecting passwords and the frequency of change for such passwords to mitigate compromise of sensitive information.

5.12.3.2 Scope

This security standard applies to all USG institutions, the USO, the GPLS, and the Georgia Archives. This standard also applies to all USG users, including employees, contractors, vendors, and other parties.

5.12.3.3 Standard

  1. All passwords shall be treated as sensitive, confidential information and shall not be shared with anyone including, but not limited to, administrative assistants, system administrators and helpdesk personnel.
  2. Passwords shall not be stored in clear text.
  3. Users shall not write passwords down or store them anywhere in their office or publically. They shall not store passwords in a file on any computer system, including smart devices, without encryption.
  4. All system-level administrative passwords shall be changed every ninety (90) days. All user-level passwords shall be changed every one hundred and eighty (180) days.
  5. User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.
  6. Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.
  7. If an account or password is suspected of being compromised, the incident must be reported to the appropriate authorities in accordance with local incident response procedures.
  8. Temporary or “first use” passwords (e.g., new accounts or guests) must be changed the first time the authorized user accesses the system, and have a limited life of inactivity before being disabled.
  9. Access to all USG information systems and applications used to process, store, or transfer data with a security categorization of MODERATE or higher, as defined in Section 5.6.3 of this Handbook, shall require the use of strong passwords or other strong authentication mechanisms. Strong passwords shall be constructed with the following characteristics:
    • Be at least ten characters in length
    • Must contain characters from at least two of the following four types of characters:
      • English upper case (A-Z)
      • English lower case (a-z)
      • Numbers (0-9)
      • Non-alphanumeric special characters ($, !, %, ^, …)
    • Must not contain the user’s name or part of the user’s name
    • Must not contain easily accessible or guessable personal information about the user or user’s family, such as birthdays, children’s names, addresses, etc.
    • Note 1: A six-character password is acceptable if “account lockout” is enabled and set to lock or disable the account after five unsuccessful or failed login attempts. Six-character passwords must adhere to all of the characteristics noted above.
    • Note 2: Participant organizations may mix different characteristics regarding length and mandatory characters to obtain the same password strength. For example, a password of 11 characters containing two upper case letters, two lower case letters, two numbers, and no special characters would be permissible.
  10. Password history must be enabled and configured to disallow usage of the same password for a set length of change cycles greater than four (4) times. Users and administrators must not be allowed to use the same password that has been used in the past four (4) changes. Users and administrators who have changed their user password or system password must not be allowed to change passwords immediately. This will prevent users and administrators from changing their passwords several times to get back to their old passwords.

5.12.3.4 Enforcement

Individual USG participant organizations are responsible for developing internal procedures to facilitate compliance with these USG security policies and standards. The standards are designed to comply with applicable laws and regulations; however, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving sensitive state, federal, sensitive or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

The standards will guide periodic security reviews, as well as audits by USG Internal Audit & Compliance and the state Department of Audits and Accounts (DOAA).

5.12.3.5 Authority

5.12.3.6 Related Enterprise Policies, Standards, and Guidelines


Return to Top