Standards Group:
YALE-MSS-9: Authentication and Authorization
YALE-MSS-9.3: Utilize secure passwords for authentication
Details
This standard applies to all user accounts, administrative accounts, service accounts, and API keys. Please see YALE-MSS-9.1 for definitions of the account types.
Passwords continue to be a first line of defense for many systems. Employing a reasonable number of (apparently) random characters can prevent an attacker from guessing their way into an account.
All passwords need to be at least 12 characters long, excluding easily guessed strings such as words found in a dictionary. Passwords should be changed upon suspicion of account compromise. In the case of service accounts known to a team, service account passwords should be changed when someone leaves the team.
If a mobile device forces the use of a short password (fewer than 12 characters) or PIN, the password/PIN is required to be at least four characters long and should not use repetitive or sequential patterns (e.g., "1111", "aaaa", or "1234").
API keys grant access to applications and their data, enabling both service accounts and human users to programmatically interact with systems. Since API keys operate as both an identifier and password, care must be taken to store and use these keys securely:
- Storage: API keys must only be accessible to those with a business need. A secrets manager service is one effective means of handling this
- Rotation: API keys must be renewed every 90 days
Controls
- YALE-MSS-9.3.1: Change all account usernames and passwords from defaults
- YALE-MSS-9.3.2: Align (or surpass) password security to align with the current requirements for Net ID credentials
- YALE-MSS-9.3.3: Lock mobile devices with a password, passcode or pin
- YALE-MSS-9.3.4: Prohibit password, passcode, or pin reuse for a specified number of generations
- YALE-MSS-9.3.5: Do not reuse passwords