fsu seal Florida State University
 

Account & Password Management

Do we ensure only authorized personnel have access to our computers and do we require and enforce appropriate passwords?
Ensuring that only authorized personnel are able to access office computers is very important to maintaining a secure computing environment. Only employees who need access to carry out their work responsibilities should have an active computer account, and accounts should be deactivated when the need no longer exists.

Regular use of strong passwords is another key first line of defense against unauthorized access and use of department computing resources. Passwords should be required for access to any department computer or server. To be useful and effective, passwords should be easy to remember but difficult to guess. It is very important that passwords not be shared with anybody, or written where others might see it.

Some specific questions about the use of accounts and passwords in your department:

  • Do we deactivate accounts for terminated or transferred employees in a timely manner?
  • Do we periodically review current employee accounts that have not been used in a long time and consider deactivating them?
  • Do we disallow shared accounts? If not, is use of shared accounts audited frequently?
  • Do we require passwords for access to department workstations and servers?
  • Do we require that our passwords be periodically changed?
  • Have we emphasized to users that their password, along with their computing id, is the key to their electronic identity?
  • Do we assist users in selecting passwords that will ensure privacy while promoting regular use? (See FSU guidelines)
  • Do we require that passwords not be written down or shared?
  • Do we disallow dial in access to office computers?
  • Do we log and review multiple tries to enter a password for a given account?
  • Do we prevent users from choosing passwords that have been used only a short while ago? Is there a reasonable "previous used" password history list to deter users from repetitive use of the same password?

An answer of "no" to any of the above questions indicates a risk for which remedial steps should be considered.
 
© Office of Technology Integration
C6100 University Center
Florida State University, Tallahassee, FL 32306 | 850/644-0066
Comments & broken link reports to email-contact