Username and password policy
1.1 Identification and Authentication of Users
1.2 Username is Public Information to the University Community
1.3 Password is Private Information
1.4 Username Should be Unique and Unchanged for a Person
1.5 Staff who are also Students will have Two Usernames
1.6 Same Account Across Computer Systems
1.7 ISTS Manages Usernames and Passwords
1.8 Standards for Passwords
1.9 Generic and Temporary Accounts
2.1 Allocation of Username for New Staff Members
2.2 Allocation of Initial Passwords for New Staff Members
2.3 Allocation of Username for New Students of UniSA
2.4 Allocation of Initial Passwords for New Students
2.5 Allocation of Usernames for Open Learning Australia (OLA) Students
2.6 Procedure for Staff to Request a Change to their Username
2.7 Procedure for Students to Request a Change to their Username
2.8 Removal of Student User Accounts
2.9 Removal of Staff Accounts
1 PRINCIPLES
This section is concerned with the principles underlying the allocation and management of usernames and Passwords.
These principles apply to systems and services managed by the Information Strategy & Technology Services Unit (ISTS) and should apply to systems managed by cost centres.
1.1 Identification and Authentication of Users
Usernames and associated passwords are required by users at the University of South Australia to gain access to Information Technology resources provided by the University.
1.2 Username is Public Information to the University Community
Each user's username is a piece of information which might need to be known by the general university community. It is an identifier that can be used by a system Administrator to provide access to shared resources.
1.3 Password is Private Information
Each username normally has an associated password. The Password must be kept confidential by the owner of the username/password pair. If other people know someone's password, they may be able to use resources or misuse facilities in that person's name.
1.4 Username Should be Unique and Unchanged for a Person
Each person should normally have a unique username which they can keep for their entire life at the University. Staff usernames are distinguishable from student usernames. As Staff move between different cost centres, their username should not change but the associated Permissions should reflect appropriate access for their new role.
1.5 Staff who are also Students will have Two Usernames
Staff usernames are distinct from student usernames. There is a need to be able to provide different permissions based on a person’s role as staff or student. Staff who are also students will be provided with a staff username/password pair and a student username/password pair. This allows staff to take on the role of a student when they are not working in their normal staff position.
1.6 Same Account Across Computer Systems
Where possible, the ISTS will try to use the same username and password access for an individual to authenticate use of all computer systems and services within the University environment. This makes it easier for the user to log onto the range of resources the user needs to access and reduces the number of usernames which need to be disabled when a person leaves the University.
1.7 ISTS Manages Usernames and Passwords
The ISTS is responsible for managing procedures and guidelines which relate to Accounts used for accessing those resources managed by ISTS.
1.8 Standards for Passwords
ISTS will manage procedures and guidelines relating to initial passwords, appropriate lifetimes for passwords and recommendations for constructing a new password.
1.9 Generic and Temporary Accounts
It is recognised that there will be the need for generic and temporary accounts to be created at the request of staff members of the University. In general, University staff and students should use their personal account. A request for a generic or temporary account must be accompanied by a justification. The account will only be available for a specific purpose and time after which it will be disabled or removed.
A register will be kept of the usage of generic and temporary accounts. The register will include enough detail to identify who was responsible for the account at any particular time and will also document the enabling and disabling of the account.
The register will be maintained by the ISTS. Cost centres which perceive a need to create any accounts need to ensure that they consult with the ISTS so that appropriate arrangements can be made for keeping track of such accounts. If accounts are created without consultation with ISTS, such accounts may not have access to services such as email and the Internet.
A generic or temporary account that does not require Internet access and does not involve users who are not staff or students of the University can be created by ISTS staff without requiring approval of the Director: ISTS. It must still be included in the register.
If an account is required that will have Internet access or will be used by users who are not staff or students of the University then the approval of the Director: ISTS or nominee is required. Each case needs to be assessed on its merits due to the legal implications of the Telecommunications Act and University agreements with carriers.
2 PROCEDURES
2.1 Allocation of Username for New Staff Members
ISTS is responsible for keeping a register of all staff usernames (including staff who have left). A new staff member will be provided with a username which must be approved by ISTS. In some cases, Accounts associated with e-mail are created by staff outside of ISTS, but the usernames must still be approved and recorded by ISTS.
The general formula used to construct a staff username is:
ssssssii
where:
ssssss is up to the first 6 characters of the
surname
ii is the initials of first name and middle name if present - no letter is substituted if
there is no middle name.
Staff usernames must be equal to or less than 8 characters and not start with a digit. In general, digits should not be used in staff usernames. If there are multiple middle names, it is acceptable to use more trailing initials and reduce the stem of the surname part used to make the total length equal to or less than 8. There is no need to pad out very short surnames (less than 6 characters).
If the register maintained by ISTS shows that another user already has the same username as the algorithm proposes, a variation must be made to the new username to make it unique by:
- using fewer or more initials,
- using less of the surname, or
- using a digit on the end as a last resort.
The staff username will also be used for other appropriate identifiers such as MailID.
2.2 Allocation of Initial Passwords for New Staff Members
Staff Passwords will initially be assigned by the Administrator who creates the account. Staff should change their password from the initially assigned value to something which only they know.
The password should contain some digits, be longer than 7 characters, not contain names, proper nouns or words from a dictionary. Staff should change their password at least once per year. Some systems may enforce these recommendations.
2.3 Allocation of Username for New Students of UniSA
Students who are enrolled in programs at the University of South Australia will have a username created for them. This username will normally consist of:
sssiinnn
where:
sss is the 3 digits of surname (padded with Y's if shorter)
ii is the first and middle initial (replaced with Y if missing)
nnn is a tie break number assigned by the student records system.
A word matching program is used to test the 5 character stem to minimise the chance that the username contains an offensive word. If a match is found, an inoffensive substitute word is used.
For these reasons, it is not possible for students to deduce their username. Students are advised of their username on a range of documents sent to them by Student and Academic Services.
Students who return to study at the University after a period of absence will be assigned the same username they had when last enrolled.
The University will not use StudentIDs as usernames. StudentIDs must not be published in such a way that they can be directly connected with the student's name or username.
2.4 Allocation of Initial Passwords for New Students
Student Passwords will initially be assigned by ISTS using information available from their student record. Students must change their password from this initial value.
The password should contain some digits, be longer than 7 characters, not contain names, proper nouns or words from a dictionary. Students should change their password at least once per year. Some systems may enforce these recommendations.
2.5 Allocation of Usernames for Open Learning Australia (OLA) Students
Students who participate in Open Learning Australia will have a username created for them. This username will normally consist of:
sssiinnF
where:
sss is the 3 digits of surname (padded with Y's if shorter)
ii is the first and middle initial (replaced with Y if missing)
nn is a tie break number assigned by the student records system
F is the letter "F".
A word matching program is used to test the 5 character stem to minimise the chance that the username contains an offensive word. If a match is found, an inoffensive substitute word is used.
For these reasons, it is not possible for OLA students to deduce their username. Students are advised of their username on a range of documents sent to them by the Flexible Learning Centre.
OLA students who return to study another OLA subject managed by the University will be assigned the same username they had when last enrolled.
The University will not use StudentIDs as usernames. StudentIDs must not be published in such a way that they can be directly connected with the student's name or username.
2.6 Procedure for Staff to Request a Change to their Username
Staff may make a case to change their username by contacting the ISTS Help Desk on 25000. In general, changes to a staff member's username are discouraged but there can be reasons why it may be appropriate to change the username.
2.7 Procedure for Students to Request a Change to their Username
Students wishing to change their username may make a case to Student and Academic Services, by contacting Campus Central.
2.8 Removal of Student User Accounts
Student accounts will expire (and thus be unusable) at the end of the semester in which they are currently active unless they are enrolled in the next semester.
Student accounts will be removed within 2 months of their expiration.
2.9 Removal of Staff Accounts
Staff accounts will be disabled on receipt of Mailbox removal form (see http://www.unisa.edu.au/ists/Staff/applicationforms/ITresources.asp). The account and the mailbox will be removed three months after this date.