Password Policy and advice
Policy on passwords and advice on how to create, protect and use password in a safe and effective manner.
WIN Centre IT Password/Passphrase Policy
When choosing passwords/passphrases for WIN Centre IT services that do not utilise the University of Oxford Single-Sign On system (SSO), BMRC or MSD-IT accounts, the following policy should be adhered to.
Passphrases must consist of:
- A minimum of 16 characters
- Comprise characters from three of the classes: lower case letters, upper case letters, digits and punctuation
Passphrases must not be written down in any recognisable form and never linked to the associated WIN Centre username. This includes recording the passphrase in electronic form where there is no strong encryption applied (e.g. plain text files/databases or trivial cyphers e.g. ROT-13).
Pass phrases must NEVER be shared with anyone else - computer accounts are for single person use only.
Exceptions to the sharing rule are:
- Storage of system passwords by the WIN Centre Support Teams, where authorised members of the appropriate Team(s) are allowed to share such pass phrases as required to provide the service. Where possible mechanisms should be implemented to avoid the use of shared system passwords (e.g. multiple administrative accounts).
- Dedicated equipment lacking the support for multiple operator accounts. Steps must be taken to ensure that only authorised users have access to these passwords, and where possible these devices should not be attached to general purpose networks.
Passphrases may be stored in encrypted databases to which you have sole knowledge of the encryption passphrase for the database. The encrypted database MUST automatically lock when idle for more than 10 minutes. This would typically be provided by a password manager application (see below).
Where the use of SSH public/private key authentication is authorised, the private key of an individual's device MUST be encrypted with a passphrase. The use of a key 'agent' to provide the encrypted key on demand is acceptable AS LONG AS the passphrase is required to initialise the agent (e.g. do not use the macOS keychain). The passphrase used MUST comply with this passphrase policy.
Where SSH public/private key authentication is used for system processes, where possible the private keys should be encrypted. If automated processes need access to these keys without human interaction then the passphrase should be obtained by an appropriate audited key service as provided or approved by the WIN IT Team. Where this is not possible a security audit of the requirements of the service must be carried out and reviewed on a regular basis.
Where a service supports multi-factor authentication, it should be enabled. SMS/telephone factors should be avoided; the use of OTP applications, e.g. Microsoft Authenticator is recommended.
At first glance, the requirement for a 3-character class, 16 character passphrase seems onerous and likely to lead to writing down of the passphrase, but this need not be the case. There are two approaches to simplifying passphrase memorisation:
1) Use a phrase - take three, four or five unrelated, randomly selected words and string them together with some form of punctuation, e.g.
Random Celeriac Dominion
Some services do not allow spaces, try other punctuation. If the service insists on numbers being included DON'T use significant dates, just add some random numbers at the start, end or somewhere in the middle or replace a character with a similar number, e.g. o > 0, 1 > I, e > 3.
2) Where services offer multi-factor authentication enable it - if given the choice, choose ‘Authenticator app’ rather than SMS (which is less secure). Password managers (see next point) support generating the login tokens so you don’t necessarily need extra software.
3) Use a password manager. If you use a password manager your passphrase can be completely random, you don't need to remember it, just make sure your master passphrase IS strong, remember you only need to remember this passphrase. When choosing an app/service make sure that they promise zero knowledge, i.e. the service provider (if there is a cloud component) cannot read your data under any circumstances - all decryption should take place on your device.
https://1password.com (Windows, macOS, iOS, Android and via Chrome/Firefox in Linux) is a subscription service approved by University InfoSec for the storage of passwords. Free alternatives include https://keepassxc.org (Windows, macOS and Linux) and https://bitwarden.com (all platforms).
When choosing an app/service make sure that they promise zero knowledge, i.e. the service provider (if there is a cloud component) cannot read your data under any circumstances - all decryption should take place on your device.
Also make sure you backup your password database (e.g. by placing it in OneDrive if the manager doesn’t use a cloud sync service).
We strongly discourage the use of LastPass due to several significant security breaches in the recent past (as of 2023).