Password Policy, Procedures, and Guidance

• Password Policy
• Choosing a Good Password
    - Online Random Password Generator
• Password Do's and Don'ts
• Password Protection
• Password Changing
• Password Change Process
    - Using Windows NT/2000/XP Operating Systems
    - Unix Systems
• Users not logged into the BNL Domain
• Password Policy for BlackBerry and Windows-based Hand-held Wireless Devices

Password Policy

Based upon DOE Notice N205.3 and guidance in DOE G 205.3-1, all BNL computer platforms capable of supporting password protection systems must have passwords that are in accord with the following.

• Password contains at least eight non-blank characters, provided such passwords are allowed by the operating system or application.
• Password contains a combination of letters (a mixture of upper and lowercase), numbers, and at least one special character within the first seven positions, provided such passwords are allowed by the operating system or application.
• Password contains a nonnumeric in the first and last position.
• Password does not contain the user ID.
• Password does not include the user’s own or, to the best of his/her knowledge, close friends or relatives names, employee serial number, Social Security number, birth date, phone number, or any information about him/her that the user believes could be readily learned or guessed.
• Password does not, to the best of the user’s knowledge, include common words that would be in an English dictionary, or from another language with which the user has familiarity.
• Password does not, to the best of the user’s knowledge, employ commonly used proper names, including the name of any fictional character or place.
• Password does not contain any simple pattern of letters or numbers, such as “qwertyxx” or “xyz123xx.”
• Password employed by the user on his/her unclassified systems is different than the passwords employed on his/her classified systems.
• Please note that passwords can only be changed once in a 24 hour period.

Choosing a Good Password

• About Passwords
• Types of Passwords
• Good Practice
• Online Random Password Generator

About Passwords
Password authentication has become part of our daily lives. Creating and using strong and secure passwords helps maintain the security of BNL’s network. Choosing a suitable password entails selecting between eight and sixteen characters that are a mix of upper and lowercase letters, numbers, and symbols. Basically, this is not a difficult task, though it will involve some careful thought. The more innovative you are, the more secure BNL’s network will be. The passwords that you create should be easy for you to remember but hard for others to guess. In choosing one, keep in mind that you should never write down your password; instead, memorize it.

Types of Passwords
Pseudo-random passwords - Pseudo-random passwords are easy-to-remember ones based on a pass-phrase that is important to you. This phrase can be a set of words taken from a book, a song, a quotation, or anything else that you always can recall. The first example below meets all the requirements for length, and combination of letters (upper- and lower-case), symbols, and numbers.

Some examples:

• Pass-phrase: "Four score and seven years ago, our fathers..."
• Password: Fs&7yAoF
• Pass-phrase: "My Son is 5 years old"
• Password: Msi5!Yo1d
• Pass-phrase: I have lived in California for 5 years
• Password: IhliCf5#y

The result - Derived by choosing the first letter from each word, using a mixed case of letters, and adding a non-alphabetic character and a number.

The next example is not a good one:

• Passwords: "funny bone"
• Password: "phnyb0ne"

The result - Derived by combining the two words funny and bone, changing "funny" to "phny" and substituting the "o" with a "0" (zero).

This password could easily be guessed as it spells out “funny bone” phonetically. Also, the words funny and bone are related and you will find the combination defined in dictionaries. The password does not contain upper-case letters, and symbols.

Good Practice
Maintain the security of your password:

• Do not write down your password; remember it.
• Practice entering in your password, so you can type it in quickly, without looking at the keyboard.

Password Do's and Don'ts

Password Do's:

• Do select a password with mixed upper- and lower-case alphabetics.
• Do include non-alphabetic characters in the password (punctuation marks, symbols, and numbers). Embed the numbers somewhere in the middle of the password; do not put them at the end.
• Do memorize your password. Choose one that is easy for you to remember, so that you do not have to write it down.
• Do choose a password that you can type quickly, preferably without looking at the keyboard. Doing this makes it harder for someone looking over your shoulder to determine your password.

Password Don'ts:

• Don't use passwords with less than eight characters.
• Don't use your name in any form (first, middle, or last, or the name of your family members, friends, pets, or anyone in your life).
• Don't choose your login name, or that of other people you know.
• Don't straightforwardly employ words that are found in any US dictionary, no matter how obscure they may be, or from a foreign language one.
• Don't simply select names of places or locations.
• Don't employ information about yourself (such as your phone/extension number, room number).
• Don't use your birth date or that of anyone you know.
• Don't choose simple patterns of letters on the keyboard, like
  "qwerty" or "asdfgh"
• Don't use all the same letters.
• Don't use passwords with anything listed above backwards.
• Don't write down your password.

Password Protection

Individuals must not:

• Share passwords; the only exceptions being an overriding operational necessity or in emergency circumstances.
• Leave clear-text passwords in a location accessible to others or secured in a location whose protection is less than that required for protecting the information that can be accessed using the password;
• Enable applications to retain unencrypted passwords for subsequent re-use unless there is an overriding operational necessity.

Password Changing

Passwords must be changed at 6 month intervals. Passwords must be changed:

• Immediately after sharing;
• As soon as possible, but within 1 business day after a password has been compromised, or after one suspects that a password has been compromised;
• On direction from system administrators.

Password Change Process

Password Change Process for Windows NT/2000/XP Operating Systems

1. You must be logged on to the network in order to change your network and screen saver passwords. Press CONTROL/ALT/DELETE keys at the same time. A dialogue box will open.
   
   
    
2. Press the CHANGE PASSWORD button.
   
   
    
3. Enter your old password, followed by your new password and re-enter your new password.  Then press OK.
   
   
    
4. If you entered your current password and a new password correctly, you will see a box that shows that your password was changed successfully.  Press OK.
   
   Note: Windows NT systems automatically synchronize your Screen Saver Password with your Networking Password.  

Password Change Process for Unix Operating Systems

1. On your UNIX host, at the shell prompt, type “passwd” and you will be prompted to change your password.

Users not logged into the BNL Domain

In order to access your exchange account you must use your new BNL password. To create your new password you must follow the steps below:

1. Users in the BNL domain and have an Exchange Account should go to http://www.bnl.gov/webmail/
   
   The screen that will appear will say...
   
   
   Internet Service Manager Your password has expired.
   You can change it now
• In the Account box - enter bnl\username
• In the Old password box enter - original password
• In the New password box enter - a new password
• In the Confirm new password box enter - the new password again.
• Click the ok button
• The screen that will appear will say, password successfully changed.
   
2. If your BNL Password has already expired, then you will have to call the ITD Helpdesk (631.344.5522) to reset your expiration setting to allow you to access this web page.

Password Policy for BlackBerry and Windows-based Hand-held Wireless Devices

The following is a set of rules (also known as a "server policy") which is remotely pushed to hand-held devices when they sync up with the BNL servers which supply them with data. Direct questions to Mike Stangel , Ext. 7256.

1. Minimum password length is 4 characters;
2. The device password feature cannot be disabled;
3. Maximum time before the device locks due to inactivity is 15 minutes;
4. The password must be changed by the user every 180 days; *
5. After 5 incorrect password attempts, data on the device will be erased. To restore data, the device will need to be brought to ITD; 
6. The last 15 passwords are remembered to prevent the use of old passwords.*

* This is automatically enforced via server policies on BlackBerry devices only.

Last Modified: September 10, 2008
Please forward all questions about this site to: Web Services

One of ten national laboratories overseen and primarily funded by the Office of Science of the U.S. Department of Energy (DOE), Brookhaven National Laboratory conducts research in the physical, biomedical, and environmental sciences, as well as in energy technologies and national security. Brookhaven Lab also builds and operates major scientific facilities available to university, industry and government researchers. Brookhaven is operated and managed for DOE’s Office of Science by Brookhaven Science Associates, a limited-liability company founded by Stony Brook University, the largest academic user of Laboratory facilities, and Battelle, a nonprofit, applied science and technology organization.

Privacy and Security Notice  | Contact Web Services for help