PASSWORD MANAGEMENT

Authentication measures that use passwords shall be developed in accordance
with this Attachment.  It is recommended that, whenever possible, the
measures discussed in this guide be automated.  Additional information and
recommendations on password management may be found in CSC-STD-002-85,
"Department of Defense Password Management Guideline."

1.  CSSO RESPONSIBILITIES.

    a.   Initial System Passwords.  Many classified AIS come from the vendor
         with a few standard user IDs (e.g., SYSTEM, TEST, MASTER) already
         enrolled in the system.  The CSSO shall ensure that the passwords
         for all standard user IDs are changed before allowing the general
         user population access to the classified AIS.  The CSSO shall also
         ensure that these passwords are changed after a new system release
         is installed or other action is taken that might result in the
         restoration of these standard passwords.

    b.   Password Length.  When passwords are used for the authentication of
         users for access control purposes, they shall contain a minimum of
         six nonblank characters.

    c.   Initial Password Assignment.  The CSSO is responsible for ensuring
         the generation and assignment of the initial password for each user
         ID.  It is desirable to prevent exposure of the password.  Whatever
         method is used to distribute passwords, the CSSO shall technically
         or visually verify the identity of the recipient of the password.

    d.   Password Change Authorization.  Occasionally, a user may forget a
         password or it may be determined that a user's password has, or may
         have been, compromised.  To correct these problems, it is
         recommended that the CSSO be permitted to generate a new password
         for any user and suspend the previous password.  Positive
         identification of the user by the CSSO is required.  The CSSO
         should not have to know the user's password in order to do this but
         should follow the same rules for distributing the new password that
         apply to initial password assignment.

2.  USER RESPONSIBILITIES.

    a.   Security Awareness.  Users shall be advised of the responsibility
         to keep passwords private and to report suspected security
         incidents or changes in the user status.  The CSSM shall establish
         a formal site procedure (such as requiring each user to sign a
         statement) to ensure that each user acknowledges responsibility to
         keep passwords private and to report changes in user status.  The
         CSSO is responsible for ensuring that this procedure is followed
         before each user is granted access to any classified AIS.  These
         records shall be kept at least for the duration of the user
         authorization to use any classified AIS under the CSSMs cognizance.

    b.   Password Protection.  Passwords used to control access to
         classified AIS shall be protected at a level commensurate with the
         highest classification level and most restrictive classification
         category of the information accredited for processing on the system
         unless the system is accredited for multilevel processing.  For
         multilevel classified AIS, passwords shall be protected consistent
         with the highest classification level and most restrictive
         classification category to which they grant access.  When used to
         authenticate personal identity, the password shall not be shared
         with anyone.

    c.   Changing Passwords.  To avoid needless exposure of user passwords
         to the CSSO, it is recommended that users be able to change their
         own passwords without intervention by the CSSO.  If there is the
         capability for the users to change their own password, users (other
         than the CSSO) shall be permitted to change only their own
         passwords.

3.  PASSWORD FUNCTIONALITY.

    a.   Password Generation.  All passwords shall be produced by a method
         approved by the DAA.  In no case shall a user "supply" his/her own
         password.  Password acceptability shall be based on the method of
         selection, the length of password, and the size of the password
         space.  The password selection method, the length of the password,
         and the size of the password space shall be described or referenced
         in the Classified AIS Security Plan.

    b.   Internal Storage of Passwords.  Stored passwords shall be protected
         by access controls provided by the automated information system, by
         encryption, or both.

         (1)  Use of Access Control Measures.  If available, access control
              measures shall be used to protect the password database from
              unauthorized modification and disclosure.

         (2)  Use of Encryption.  Encryption of stored passwords shall be
              used whenever the access control measures provided by the
              classified AIS are not adequate to prevent exposure of the
              stored passwords.

    c.   Entry.  When a Classified AIS cannot prevent a password from being
         echoed (e.g., in a half-duplex connection), an overprint mask shall
         be printed before the password is entered to conceal the typed
         password.