[Faccus] New Password Standards

Lisa Tomalty ltomalty at uwaterloo.ca
Wed Sep 29 14:36:27 EDT 2010

From: ist-staff-bounces at lists.uwaterloo.ca [mailto:ist-staff-bounces at lists.uwaterloo.ca] On Behalf Of Jason Testart
Sent: September 28, 2010 9:42 AM
To: ist-staff at lists.uwaterloo.ca; costaff at healthy.uwaterloo.ca; esag at engmail.uwaterloo.ca; scicomp at sciborg.uwaterloo.ca; uwweb-creators at lists.uwaterloo.ca; engcomp at engmail.uwaterloo.ca; admin-support at lists.uwaterloo.ca; LibrarySystems at library.uwaterloo.ca; mad-uw at lists.uwaterloo.ca; aco-update at watarts.uwaterloo.ca; cf-staff at math.uwaterloo.ca; ecercsg at ece.uwaterloo.ca; ece-comp at lists.uwaterloo.ca; Security Working Group
Cc: ucist at lists.uwaterloo.ca; ctsc at lists.uwaterloo.ca
Subject: New Password Standards

My apologies if you receive this message more than once.  I want to make sure this reaches all IT support staff on campus.

A recent security assessment performed as part of the internal audit plan, overseen by the Board of Governors Audit Committee, noted a lack of standards for passwords and password management across campus.  In response to this observation, a password standards document has been developed and endorsed by the university Computing Technology & Services Committee (CTSC):


You will note that in addition to length and complexity requirements, there are new password aging and history requirements.  Implementing the changes will be done in phases, because of the dependencies on WatIAM (which is soon to be upgraded) and the consolidation of ADS and NEXUS.

The implementation plan is as follows:

  1.  Make the password length and complexity requirements of all campus Active Directories match the new standard. (Timing: this week)
  2.  Enable new functionality for password change in WatIAM to change the password in both ADS and NEXUS. (Timing: October 5, 2010)
  3.  Announce new password rules to the campus community (through various channels), informing them that password expiry (of one year) will be enforced before the end of 2010 and that they should change their passwords soon. (Timing: October 13, 2010)
  4.  Once WatIAM upgrade is complete, and users from both ADS and NEXUS are merged, enforce password aging and password history. (Timing: unknown; depends on timing of ADS/NEXUS consolidation project)
Please forward any questions and/or concerns to your CTSC representative (http://ist.uwaterloo.ca/as/ctsc/).  If you are unsure who that is, you are welcome to forward questions/concerns to me.




Jason A. Testart, BMath               | Voice: +1-519-888-4567 x38393

Manager, IT Security                  | Fax: +1-519-884-4398

Information Systems and Technology    | http://ist.uwaterloo.ca/security

University of Waterloo, Waterloo, Ontario  N2L 3G1 CANADA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.uwaterloo.ca/pipermail/faccus/attachments/20100929/5c608222/attachment.html 

More information about the Faccus mailing list