For paper copies, please contact:

Archives and Records Management
GBB-ES-0210
416 Occidental Avenue S.
Suite 210
Seattle,WA 98104-2836

Personal Computer Password Usage

Document Code No.: INF 8-7 (AEP)
Department/Issuing Agency: Executive - Information Resource Council
Effective Date: December 29, 1998
Approved: /s/ Ron Sims
Type of Action: New

1.0 SUBJECT TITLE: Personal Computer Password Usage

2.0 PURPOSE:

2.1 To establish personal computer password policies to ensure the appropriate protection of King County information handled by computer networks as well as to secure both microcomputers and King County data resident on microcomputers.

3.0 ORGANIZATIONS AFFECTED:

All King County Departments, Offices and Agencies.

4.0 REFERENCES:

None

5.0 DEFINITIONS:

5.1 "User" means any individual performing work for King County utilizing a personal computer, workstation or terminal, including but not limited to any employee, contractor, consultant, or other worker. Each term is used in the general sense and is not intended to imply or convey to an individual any employment status, rights, privileges, or benefits.

5.2 "Strong Password" means a password that contains at least six characters; consists of a combination of upper and lower case letters, numbers and special characters; and does not include the user's first or last name or logon user ID.

5.3 "Logon User-id" means an identifier assigned to a specific user and used by a computer system to identify that user.

6.0 POLICIES:

6.1 Passwords are required during logon for all personal computers, workstations or terminals that are connected to a King County network.

6.2 All passwords must have at least six (6) characters.

6.3 All computer system users should choose passwords that cannot be guessed easily, such as "password", "welcome", etc. Passwords should not be related to the user's job or personal life. Passwords cannot contain the user's first or last name or their logon user ID.

6.4 All passwords must contain at least three of the following elements:

Upper Case Letters (A, B, C...Z)
Lower Case Letters (a, b, c...z)
Numbers (0, 1, 2...9)
Special Characters (!@#$%^&*)

6.5 Users cannot define passwords that are identical, or substantially similar to, passwords they have previously used anytime during the previous six months.

6.6 Passwords should not be written down and left in a place where unauthorized persons might find them.

6.7 Passwords should never be shared or revealed to anyone other than an authorized user. If a password is compromised, it should be changed as soon as possible.

6.8 Users should not leave their personal computer, workstation, or terminal unattended without first logging out or enabling the password-protection feature of their screen saver.

6.9 Users must change their passwords at least once every ninety (90) days.

6.10 User-ids should be suspended or temporarily disabled after three unsuccessful attempts to enter a password.

6.11 Passwords and logon-ids enabling system access should be restricted or removed if an employee resigns or no longer needs access to the systems.

7.0 PROCEDURES:

Action By: Agency System Administrator

Action:

7.1 Ensures that passwords must be at least six (6) characters.

7.2 Ensures that strong passwords are activated and enforced on all systems.

7.3 Ensures that user passwords are changed at least once every ninety (90) days.

7.4 Ensures that systems are set up to suspend or temporarily disable user-ids after three unsuccessful attempts to log on.

Action By: Agency Managers/Supervisors

Action:

7.5 Advise agency system administrators when an employee resigns or no longer needs access to a system.

Action By: Agency System Administrator

Action:

7.6 Ensures that passwords and user-ids are restricted or disabled when an employee resigns or no longer needs access to a system.

8.0 RESPONSIBILITIES:

8.1 Users are responsible for creating and using passwords that comply with the policies detailed above.

8.2 Agency system administrators are responsible for ensuring that controls are in place that verify the length and content of passwords, force users to change passwords at least once every ninety days, and suspend user-ids after three unsuccessful attempts to log on.

8.3 Agency managers/supervisors are responsible for advising system administrators when employees resign or no longer need access to a system.

9.0 APPENDICES:

None