Reduce information security risk
Clear-text (unencrypted, reusable) passwords will no longer be allowed for access to Laboratory e-mail after September 30. Laboratory employees need to change their e-mail preferences to eliminate the use of clear-text passwords.
Clear text passwords may cross the network "in the clear" and create a security vulnerability, according to Dave Belangia, Information Systems and Technology (IST) Division leader.
The primary risk in using clear-text passwords is that someone might obtain the password to use without authorization and affect the availability, integrity, and confidentiality of the Laboratory's data, applications, and/or networks, said Belangia.
Employees can click here and follow instructions to change e-mail preferences.
In order to reduce confusion and the number of passwords to remember, many employees use the same clear-text password to access multiple applications or even computers. But Laboratory Policy P218: Cyber Security Access Controls, Attachment A, requires that employees use a different password for each application on the same network and that passwords be changed at least every six months.
It's important to have a proper password that conforms to Lab policy, said Belangia. Passwords must contain at least eight characters and at least three of the following four elements: English upper-case letters (A, B, C), English lower-case letters (a, b, c), Arabic numerals (1, 2, 3), and non-alphanumeric characters (!, <, #, $).
Instead of establishing a remote session, access e-mail and the internal Laboratory Web through Web applications (Webmail: http://webmail.lanl.gov/ and https://weblogin.lanl.gov/). After a remote Webmail session, log off e-mail, clear the browser's cache, delete cookies, and close the browser.
To optimize the Laboratory's network security, one-time pass codes, generated by Laboratory CRYPTOcards should be used wherever possible or practical.