Ex Libris Password Management Policy_v2.3

General

• All internal Ex Libris system user accounts, such as e-mail, workstation, and server accounts, where passwords are composed of twelve (12) complex characters, will be changed at least every 180 days.  Non-Ex Libris systems, such as third party products, that cannot comply with 12 complex character passwords, must be 8 complex characters long and will be changed at least every 90 days.
• A user account that has system-level privileges granted through group membership or programs such as 'sudo' must have a password that is different from the password used for all other accounts held by this user
• Passwords may not be inserted into e-mail messages.
• All user-level passwords will conform to the password requirements described below.
• All new user accounts require that the password be changed immediately by ensuring that h the change password next logon option is enabled.
• All system-level passwords, such as root, NT admin, application administration account, or service account, will be changed at least every 180 days.
• In a new installation of an Ex Libris product at a customer site, the application password will be changed immediately.
• When providing an internal application user name/password to an external resource, such as a supplier, external developer, or distributor, a change of password will be performed immediately after the session.

Password Requirements

Passwords must be strong and have the following characteristics:

• Complex:
  • Contain both uppercase and lowercase characters
  • Have digits, punctuation, or Unicode characters as well as letters (for example,  0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)אßڑ)
• Must be at least 8 characters long. System passwords must be at least 12 characters long
• Enforce password history – at least 8 change cycles before a password can be reused 
• Lockout – user accounts are blocked after 10 consecutive failed password entries
• Must be a non-trivial combination
• Must not be a word in any language, slang, dialect, or jargon
• Must not be based on personal information
• Must never be written down or stored unencrypted
• Rename the system-level privileged account name when possible.
• Do not use the product name or a name that someone can easily guess as the system-level privileged account name.

In contrast, the following are characteristics of poor passwords and may never be used:

• The default password
• A password that is a common usage word such as:
  • Names of family, pets, friends, co-workers, fictional characters, and so forth
  • Computer terms, commands, names of companies, hardware, or software
  • Birthdays and other personal information, such as addresses and phone numbers
  • Word or number patters such as aaabbb, qwerty, zyxwvuts, 123321, and so forth.
  • Any of the above preceded or followed by a digit
  • Any of the above transformed by simple character substitutions (1 for l, @ for a, 3 for E, and so forth)

Protecting Your Password 

To protect your password,

• In general, try to create passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be “This may be one way to remember my password” and the password could be TmB1w2Rmp!  or Tmb1W>rmp@s
• Do not share your user-level Ex Libris password with anyone, including administrative assistants or Cloud and IT employees (unless you change the password after the problem has been solved).
• Do not open a case or ticket with your username and password in it. Instead, ask for remote assistance and type the password separately. All user-level and system-level passwords are confidential Ex Libris information. All passwords must be saved on Ex Libris password protection encrypted systems, where available.
• IIf cloud /IT employees need access to a system using your password, you must reset your password when they have completed the task.
• Avoid using the Remember Password feature of applications such as PuTTY, SecureCRT, and Internet Explorer.
• Do not write passwords down and store them in your office or near your workstation.

If you need to deliver a password:

• Provide a temporary password by phone and set it so that it must be changed immediately.
• Be aware of who is around you listening

If you suspect that an account or password may be compromised, report the incident to the Ex Libris Chief Information Security Officer and immediately change all your passwords on the compromised systems.