Skip to main content

Personal tools

Translate

PG25 Password Management Procedure

Purpose

The purpose of this administrative procedure is to establish a standard for the secure use and protection of all work-related passwords.

Scope

This procedure applies to all Albuquerque Public School employees, staff, students, and third parties who have (or are responsible for) an account on any APS system, application, server, or computer or have access to APS technology via the network. It is the user’s responsibility to read and understand this directive and to conduct their activities in accordance with its terms. In addition, users must read and understand the APS Information Security Manual and its associated standards.

General Provisions

Each of APS’ employees, staff, students, and third parties are responsible for appropriately managing accounts and passwords and complying with this Password Management procedural directive.

  • All passwords are confidential APS information. Therefore, sharing passwords (and accounts) is prohibited at APS.
  • Any individual suspecting that their password may have been compromised must report the incident and change all relevant passwords as soon as possible.
  • All procedures and activities necessary to implement and comply with this procedural directive shall be defined, documented, maintained and updated, if required.
  • The password management procedural directive must be reviewed at least once per year and updated if needed.

Roles and Responsibilities

All APS employees, staff, students, third parties, contractors, and sub-contractors with access to APS systems, networks or information (onsite or offsite) are personally responsible for: the appropriate use of their account, and creating and protecting their passwords. In addition they must:

End-Users

  • Select strong, unique passwords.
  • Change password at first login.
  • Keep passwords confidential.
  • Update passwords regularly, according to this procedural directive or any systems forcing action.
  • Avoid phishing scams that target passwords.
  • Users will report any password-related issues or suspected password compromise to the APS IT help desk. If the password is compromised, it must be changed immediately.
  • Use two-factor authentication (2FA), multi-factor authentication (MFA), or biometrics.
  • Be aware of password best practices and security risks.
  • Follow the organization's password management procedural directive.

The following practices are prohibited:

  • Using short, easily guessable, or weak passwords such as common words, a single word or phrase that can be found in a dictionary, sequences of numbers, or passwords based on personal information (names, birthdays, SSNs, or addresses).
  • Reusing old passwords or passwords used for other accounts or purposes.
  • Sharing passwords with anyone. This includes, but not limited to: colleagues, management, IT staff, or family members.
  • Writing passwords on notes, keeping or inserting passwords into email messages or other forms of electronic communication, or revealing passwords over the phone to anyone.

APS Help Desk

  • Assists end-users with password resets and account unlocks.
  • Provides guidance on password creation requirements and best practices.
  • Escalates password-related issues to the Server Operations Department as needed.

APS Server Operations Department

  • Implements, maintains, and enforces password procedures and rules.
  • Manages password reset and account unlock processes.
  • Monitors and reports on password usage to ensure compliance.
  • Provides advanced support for password-related issues.
  • Manages and administers the password management system.

APS Information Security Department

  • Provides oversight and guidance on password management security practices.
  • Conducts regular security audits and independent assessments of password management processes.
  • Recommends improvements and enhancements to password management policies and procedures.

Password Management

The password management policy that governs the creation, protection, and use of passwords within APS must be defined and implemented. Password management requirements are as follows:

Password Creation Requirements

All user-level and system-level must comply with the following password creation requirements:

Password Construction Requirements

  • Strong passwords must contain at least three of the following four types of characters:
    • English uppercase letters (A-Z)
    • English lowercase letters (a-z)
    • Numerals (0-9)
    • Non-alphanumeric special characters (such as !,@,#,$,&,*)
  • Passwords must be at least eight (8) alphanumeric characters long.
  • Two-factor authentication (2FA), Multi-Factor Authentication (MFA), or biometrics, where possible
  • User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
  • User IDs and passwords shall never be used through an interactive login mechanism (except for testing/setup/troubleshooting purposes).
  • All third-party/vendor default passwords, including service accounts, must be changed as soon as possible after system/application deployment and before becoming operational. This applies but is not limited to, all system components, operating systems, software that provides security services, wireless access points, application and system accounts, and passwords used to deploy and maintain cloud services.
  • Service accounts must have a responsible point of contact or sponsor.
  • Service accounts must be reviewed annually to ensure they are properly used, secured, and necessary.

Passwords for new user accounts, whether generated automatically or set by the account holder as a temporary password, must be strong and unique. Users are required to immediately change their password after the first use (for a new one) that meets the established requirements in this procedural directive.

Password Expiration and Renewal Requirements

As a general rule all user-level passwords (such as email, web, desktop computer, among others) and all system account passwords must expire periodically. Exceptions to this requirement must be approved and documented.When personnel changes are made to staff with root access, the password authority will immediately address password changes.

Any unused User ID will be disabled / deleted as soon as possible.

Password expiration and renewal notification must be sent to the user at least every two weeks before the password expires and shall include:

  • The specific date and time after which the password will no longer be valid.
  • Password reset instructions, renewal link, and the APS IT helpdesk phone number.
  • Password creation requirements.
  • A warning that the account will be locked out if the password is not renewed before the expiration date.

Password Reuse and History Tracking

Password reuse is determined by the number of passwords remembered and must be tracked to prevent reuse of old passwords. Use a unique password for each work-related account and no reuse passwords or use passwords for other accounts or purposes is required.

Password Lockout and Invalid Login Attempts

Lockouts after a predetermined number of invalid login attempts must be used for all user-level and system-level accounts wherever technically feasible.

Shared Passwords and Delegation

Shared passwords and password delegation are prohibited at APS unless it is needed for an exceptional circumstance, such as: emergency access to critical systems or data, temporary workers or contractors, for training or testing purposes, legacy systems, or other conditions. For these cases, strong management controls need to be established to maintain individual accountability and traceability. It is required to:

  • Document a justification explicitly approved by the Executive Director or Director of the Department.
  • Limit the use to the time needed for the exceptional circumstance and monitor it.

Immediately change or delete the password when the time limit expires.

Password Security: Entry, Storage, and Transmission

Passwords must be unreadable and stored and transmitted securely. This includes:

  • Mask passwords during entry to avoid displaying passwords on the screen when being entered and force users to change their passwords at first login.
  • Encrypt and/or hash passwords during storage and store them independently from the native operating system’s authentication. Passwords may be stored only in password managers that are authorized by the organization.
  • Encrypting and/or hashing passwords while in transit to the authenticating system is also required.
  • Use secure connections (HTTPS) to transmit passwords.
  • Use encrypted protocols like SSL/TLS or PGP to protect passwords in transit.
  • Avoid sending passwords via email or plain text messages, and use password reset links or token-based authentication instead of sending passwords.
  • Password encryption and hashing should be performed according to current and approved cryptographic techniques for passwords.

Password Deletion

All passwords that are no longer needed must be deleted. This includes, but is not limited to, inactivity or deactivated accounts, default or temporary passwords (for example, when a user retires, quits, or is reassigned, or a third-party contract ends or she/he no longer needs it to perform their duties).

Password Application Standard

Personnel who control applications (developed, acquired, or approved by APS) should ensure that those applications support: the authentication of individual users (not groups), do not use a generic login (that anyone could use anonymously), and do not store and transmit passwords in clear text.

Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) and/or Biometrics

All APS employees and staff are encouraged to use 2FA or MFA and/or biometrics. All system levels and service providers with remote access to APS Systems and networks shall use unique MFA.

Remote Access

Remote access to the APS network by using a VPN (Virtual Private Network) must require a user ID and password. Passwords must meet the requirements established in this procedural directive. In addition, MFA and/or biometrics and monitoring of remote access activities are required.

Password Management System

When a password management system is used as an authentication method, users are responsible for creating a secure and complex master password and using Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), or biometrics (when available). Password management systems must comply with and enforce the established administrative procedure, and a procedure for creating and managing passwords through this system will be developed, communicated, and followed by APS employees and staff.

Specific password procedures according to the user-level and system-level must be defined, documented in order to comply with this policy and managed as confidential information.

Compliance

Any APS employee, staff member, or other individual bound by APS procedural directives, who is found in violation of this procedural directive, may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company or contractor found in violation may face legal consequences up to termination of the contract.

Document Control

Date Version Document Changes Change By Approved By
[Date of Issue] [Rev Number] [Change description]

[Name who reviewed or changed the document]

[Approver Name]

References

Administrative Position: Deputy Superintendent of Operations
Department Director: Chief of Technology
Procedural Directive Cross Ref.: Employee Technology Acceptable Use
NSBA/NEPN Classification: GBA1
Introduced: October 7, 2024
Adopted: October 7, 2024

This page was last updated on: October 28, 2024.