In the beginning "passwords" worked, but in our world today passwords no longer secure enough to protect your accounts. Passphrases are passcodes offer better protection. In this document we are recommending the use of Passphrases. Passphrases are crucial for the security of both your personal accounts and the infrastructure of Clarks Summit University since they combine lengthy pharses with unique memorable words that only you could create.

In the wrong hands, your account can be used to obtain personal student information (such as Social Security Numbers, home addresses, and financial information) and private college information (bank account numbers, financial reports, and employee records), so using a strong passphrase is your best line of defense. No one wants to be the victim of identity or intellectual property theft. So as a precaution, our passphrase policy is to be reviewed regularly to be sure it follows current security standards.

To minimize risks and provide damage control, the IT Department has instituted systems to protect all non-public information. There is, however, no substitute for a strong passphrase or passcode. To ensure that your passphrase or code contain some level of security, all of them must comply with this written policy.

The US National Institute of Standards and Technology (NIST) has provided guidelines for passphrase security. They recommend using "passphrases" (e.g. "The Fox on the Hill Runs Faster than 6 Limas in Peru") because they are long, more memorable than "passcodes" (e.g. "P@s11.u*44fh"), and more secure than "passwords" (e.g. "Monkey123"). One of the takeaways from NIST and other security experts is that short passwords are easily cracked on today's computers. For example an 8 character password can be cracked by a "dictionary attack" in 5 hours, while a 12 character password could take 2 centuries. Expect these time frames to go down as computer speeds increase. With the added complexity of using a large set of characters (numbers, lowercase, uppercase, and symbols) the probability of your passphrase being hacked in your lifetime decreases.

As you design a passcode or passphrase please be sure to not include any words someone can guess about you or that they could find on your Facebook site or other web presenses, since most successful security breaches are user targeted ones. To do this hackers learn what they can about you from your web presence (facebook, twitter, homepages, linkedin, etc...) and if possible, conversations with you. I recommend you create a fun inspiring phrase that only you can imagine in your mind - something that can make you smile every time you log in.

If you want help creating and storing your passphrases, numerous companies have specialized in protecting this kind of data via encryption. BitWarden.com, 1Password.com and keepass.inf are just a few examples. All of these are more secure than storing your passphrases in Excel, the Notes app, under the keyboard, or only in your memory.

The lessons learned here are:

1. Passphrases are recommended because they are memorable only to you
2. Longer passphrases are more secure
3. Complex passphrases add additional security
4. Hackers will attempt to use what they can discover about you to hack your accounts
5. Each login MUST have a unique passphrase to that site
6. The use of a password manager aids in having different passwords for all sites, services, and devices we use

For additional information view these sites:

• Estimated Password Cracking Times

• Microsoft Password Strength Testing or GRC's Password Strength Experiments - DO NOT ENTER your actual passwords here. Use this to test types of passwords.

• Extremely complex password generator

Requirements

In the policy below, the term "passphrase" is used since it what we are recommending be used. But you may substitute a "passcode" if you please.

Length

• Minimum: 16 characters - please be advised we recommend a LONG passphrase. The longer the better. This is only the minimum, which will go up in time.
• Maximum: 255 characters

Complexity

• 3 of the 4 character types:
  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Symbols
• No more than 2 consecutive letters from your username or your name.

Repetition

• Your passphrase cannot match any of the previous 24 passphrases
• Do not use repeated characters (e.g. AAA, 123, ABC) or keyboard patterns (e.g qwerty, qazxswedc, 1q2w3e4, etc...)

• Do not include words, dates, phrases, or abbreviations related to your username, your name or those of your family, CSU, or books. These are all guessable by today's hackers.

• NEVER use the same passphrase twice. Each passphrase needs to be unique for each place you need a passphrase. Please use an app or service to manage your unique logins.

Duration

• New passphrases cannot be changed for 24 hours

Passphrase reset

We realize that you will likely forget some of your passphrases. The IT Department can assist you when this occurs.

Passphrases will not be reset by email or phone until the IT Department has verified your identity by using a predetermined method. If this cannot be accomplished, you must visit the IT Helpdesk with a valid form of photo ID. This is the preferred method for resetting a passphrase.

Privacy

• Your passphrase is confidential and must not be shared.
• Your passphrase may never be posted in any place that is visible to others, including an unlocked desk drawer, or sent via email.
• The IT Department will never ask for your passphrase, and may, at their discretion and with prior notice, require your passphrase to be reset if it becomes known by any method.