Department policy on use of locally authenticated accounts on department systems
Reviewed by Bil Hays 5/2/2014
This page describes department policies with regard to the use of locally authenticated accounts on department computers. In general, they should be avoided. This article tells about problems with local accounts, what to do if you already have them, and it provides some alternatives. This does not apply to local accounts that authenticate against Kerberos.
Problems with locally authenticated accounts
The biggest problem with locally authenticated accounts is that they are not subject to the same password complexity or expiration rules that govern our other accounts. Users have to choose to use good passwords, and they don’t always do that. As a result, on several occasions hackers have compromised local accounts by guessing their passwords. They were then able to use the compromised systems as a base of attack on other University systems.
Since locally authenticated accounts are not guaranteed to comply with campus or department policies for password complexity or expiration, using these accounts should be avoided except when there is no viable alternative. However, we recognize that there may well be cases where a locally is necessary. We in Computer Services are most concerned about locally authenticated accounts on systems that we administer, because we are responsible for these systems and because the systems we administer are trusted to some extent by other systems in the department and on campus.
Locally authenticated accounts that 1) reside on department-supported systems that reside in the department (as opposed to laptops or home systems), and 2) are set up for people who do not have department accounts, are particularly egregious, since they are not only security issues, but they also are a way of avoiding Computer Services fees, which help to pay staff salaries. If we find such accounts we will remove them.
If you already have local accounts
If you have already set up locally authenticated accounts on department systems, please either delete them or let Computer Services know about them. We’ll need to know the name and operating system of the computer, as well as the name and the purpose of the account. If the account does not have a strong password, please change it as soon as possible. Department standards for strong passwords are given at Webpass. As indicated above, our standards are the same as campus standards, except the department requires at least a 12-character password that you change every 12 months. (Just think “twelve and twelve”.) Campus passwords must be at least eight characters, and must be changed every 90 days. Research shows the department’s standard is more secure.
When local accounts are acceptable
Locally authenticated accounts are okay on department owned laptops that will frequently be used outside the building or on desktop systems that are used at home. You do not need to report these to Computer Services. However, you are responsible for complying with department standards for password strength if you use these machines to connect to the campus network (including the department network).
Alternatives to locally authenticated accounts
To reduce the need for locally authenticated accounts on department-administered systems, we are now providing free temporary and special-purpose accounts. A temporary account may be requested by any of our users for use in department-related business (research, education, or service). Special-purpose accounts may be needed to run a particular piece of software or for various other reasons. The advantage of both the temporary and special-purpose accounts that are set up by Computer Services is that they are subject to the same password rules as our other accounts, and hence they are not an additional security threat. For details on requesting and using these accounts, see Temporary and Special Purpose Accounts.