9-6.1 Passwords

Passwords are unique strings of characters that personnel or information resources provide in conjunction with a log-on ID to gain access to an information resource. Passwords, which are the first line of defense for the protection of Postal Service information resources, must be treated as sensitive information and must not be disclosed.

9-6.1.1 Password Selection Requirements

Password requirements must comply with the following:

  1. For all users, passwords for all platforms except mobile devices must consist of at least 15 characters and contain at least one character from three of the four following types of characters: English uppercase letters (A–Z), English lowercase letters (a–z), Westernized Arabic numerals (0–9), and nonalphanumeric characters (i.e., special characters such as &, #, and $).
  2. Password requirements associated mobile devices will be based on the capability of the hardware and software and can be found in the appropriate policy/procedure documents.
  3. The only nonalphanumeric characters available for the mainframe are: @, #, and $.
  4. For all users, passwords must not contain the user’s name or any part of the user’s full name.
  5. Passwords must not be repeated (reused) for at least five generations.

9-6.1.2 Password Selection Recommendations

The following password recommendations are prudent security practices intended to enhance the password complexity and protect the password from attempted password cracking:

  1. Do not use family member names or other information easily discovered about the user (e.g., license plate number, phone number, birth date, and street name).
  2. Do not use commonly used words such as words that appear in the dictionary or Postal Service terminology.
  3. Do not use all the same characters or digits or other commonly used or easily guessed formats.
  4. Use longer password conventions whenever possible (e.g., pass-phrases and run-on multiword strings).

9-6.1.3 Initial Password

Passwords must always be delivered in a secure manner. The initial password for users must be sent via protected electronic delivery system or personal delivery to the user (First Class Mail is also acceptable). For all accounts, the initial password must be set to a temporary password, and the user must be required to change the password at log-on.

Note: Caution must be taken not to standardize on generic or global passwords when issuing new accounts or when resetting forgotten passwords.

9-6.1.4 Password Suspension

After six unsuccessful attempts to log on to an information resource, the log-on ID or account must be suspended for a period of at least 5 minutes for internal systems accessed via ACE and non-ACE devices, 15 minutes for externally facing login pages, (or 30 minutes for PCI-related applications or until the system administrator resets the account).

9-6.1.5 Reset Passwords

Users with nonprivileged accounts who have forgotten their passwords or need to perform routine password resets, should reset their password by invoking ePassword Reset. The exception to using the ePassword Reset system is for privileged, machine and vendor default accounts (see below). The ePassword Reset system requires user authentication prior to allowing the user to perform a password reset. If a user calls the Help Desk to reset a password, users are challenged by Help Desk personnel to provide further confirmation of identity prior to resetting the password. Password change requests via the Help Desk are documented via a change request ticket. The password is reset to a temporary password by an administrative group, and the user must then change the password at first log-on.

ePassword Reset is not used for privileged, machine, and vendor default accounts. The passwords to these accounts are changed by the system administrator group via the Help Desk. When users of these accounts request the reset of a password, the users are challenged by Help Desk personnel to provide further confirmation of their identity (e.g., some predetermined shared secret that only the user would know) prior to resetting the password. Upon confirmation of user identity, the request is documented via a change request ticket and assigned to the appropriate administrator group for resetting the password. For privileged accounts, the administrator group resets to a temporary password and the privileged user must then change the password at first log-on.

9-6.1.6 Password Expiration

The information resource must offer an authentication information-aging feature that requires users to periodically change authentication information, such as passwords. All Postal Service personnel must change their passwords when prompted by the system or risk being locked out, thus requiring assistance to reset the account. Password expiration requirements are as follows:

  1. Prior to the expiration of authentication information, such as passwords, the information resource provides notification to the user.
  2. At least every 30 days, passwords for privileged accounts or for those accounts considered sensitive (e.g., system supervisors, software specialists, system administrators, database administrators [DBA, SYSDBA, SYSOPER, INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE], or vendor-supplied) must be changed.
  3. At least every 90 days, passwords for all other accounts must be aged and changed.

Oracle database schema accounts are assigned to a database (not an individual) and are typically considered the application owner. These accounts have minimum access rights and privileges required to perform the necessary business functions with respect to the application. Oracle Database Schema Accounts closely resemble Service Accounts as they are not granted root or administrative privileges and are placed under management control [Database Systems and Services (DBSS) is the Postal Service entity responsible for the life cycle of the account from creation, deployment, usage, and retirement when no longer needed]. DBSS is responsible for password maintenance on all Oracle Database Schema Accounts. DBSS must take the following measures to protect the password:

  1. The password is not provided to anyone outside of DBSS.
  2. If the password is stored in a database, it is encrypted.
  3. If the password is stored in a file, the file is protected.
  4. If scripts need to be run as the schema account, DBSS staff enters the password.
  5. The password for schema accounts must comply with a password strength function that enforces the password to be at least 15 characters long. This is necessary because the schema account password does not expire so extra measures are taken to protect it.
  6. DBSS has monitoring in place on all databases for usage of this account and records all suspicious activity.

9-6.1.7 Requests for Use of Nonexpiring Password Accounts

All requests for use of nonexpiring password accounts must be approved by the manager, CISO. The manager CISO must be added as a FSC for all machine accounts. These accounts are tracked for compliance purposes. The executive sponsor is accountable for the use of these accounts. If approval is granted, the following compensating controls must be implemented:

  1. Account must be in a centrally managed database. No privileged access allowed.
  2. Encrypt the LDAP call to keep the password from being transmitted across the network in clear text.
  3. Change password when personnel with access to the account leave or transfer.
  4. Nonexpiring password accounts must be requested and documented through eAccess.
  5. Ownership of nonexpiring password accounts must be identified and recertified on a semi-annual basis.
  6. Rights and privileges of nonexpiring password accounts must be reviewed at least on a semi-annual basis to evaluate the appropriateness of access.
  7. Passwords for nonexpiring password accounts must use a complex password that exceeds standard length requirements.
  8. Source-restrict the account to a specific host and do not allow console or remote entry.
  9. Restrict access to the password to operations staff with a need to know.

9-6.1.8 Requests for Use of Nonexpiring Service Accounts

All requests for use of nonexpiring password service accounts must be submitted in writing (e-mail is acceptable) by the executive sponsor to the manager, CISO. The rationale for these accounts is to prevent service interruptions due to a locked account. These accounts must be tracked for compliance purposes. The executive sponsor will be held accountable for the implementation of these accounts. If approval is granted, the following compensating controls must be implemented:

  1. Account must be requested and documented in eAccess.
  2. No privileged access allowed; specific ACL’s must be applied under the concept of ‘least privilege‘. Use of root, system administration, non-cancel, etc. privileges are prohibited.
  3. Account must not have the rights to modify or delete system (e.g., syslog or Windows System Event) or security log files.
  4. Restrict account‘s usage to a specific host.
  5. Direct login to the service account, whether from a console or remote session, is prohibited and must be disabled.
  6. Rights and privileges of account must be reviewed and validated on a semi-annual basis.
  7. Nonexpiring password must meet Postal Service standards, including password length and complexity, and be encrypted in storage and in transit. The only exceptions to the criteria are password aging and account suspension on failed login attempts.
  8. Restrict access to password to operations staff with a need to know and change when personnel with access leave or transfer. Comply with 6-6, Departing Personnel, to terminate all access when personnel leave or are transferred.

9-6.1.9 Password Protection

Passwords used to connect to Postal Service information resources must be treated as sensitive information and not be disclosed to anyone other than the authorized user, including system administrators and technical support staff. Requirements for protecting passwords include the following:

  1. Passwords must not be shared except those used for shared accounts.
  2. If passwords are written down and stored outside the user’s personal control, they must be secured in a tamper-resistant manner (e.g., an envelope with registry seal, time stamped, and signed by the user) to ensure that any disclosure or removal of the written password is clearly recognizable.
  3. Aside from initial password assignment and password reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user or has been otherwise compromised, the user must immediately change the password and notify CyberSafe.
  4. Passwords must be encrypted in transit.

9-6.1.10 Password Storage

Passwords must be stored in one-way encrypted format where possible. Passwords stored in batch files, automatic log-in scripts, software macros, keyboard function keys, or computers without access control systems must be encrypted using the Postal Service encryption standard documented in
9-7.1.1, Minimum Encryption Standards, and decrypted when used.

9-6.1.11 Vendor Default Passwords

Vendor-supplied default accounts must be disabled, removed, or the passwords must be changed before connecting the system or introducing the software to the Postal Service network. This includes passwords used by contractors or consultants when configuring a system.

9-6.1.12 Password Requirements

Information resources must support the following password requirements:

  1. Deny access if the user does not comply with password selection or expiration criteria.
  2. Set initial password to a temporary password and require user to change the temporary password on first log-on.
  3. Suspend account after an administrator-configurable number of unsuccessful entries.
  4. Require re-authentication by the user, as well as reconfirmation of the new password, at the time of an attempted password change.
  5. Mask password entry during the authentication process.
  6. Store passwords in a one-way encrypted format.
  7. Encrypt passwords in transmissions.
  8. Require users to change passwords (password aging every 90 days or when compromise is suspected).
  9. Change vendor-supplied default passwords prior to use.