Skip to main content
more options.

Authentication of Information Technologies Resources
University IT Policy 5.8

Full Text of Policy

Introduction

In February 2005 the Executive Policy Review Group approved the impact statement for a proposed policy: Authentication of Information Technology Resources. The proposed policy included rules for electronic identifiers, passwords and minimum authentication standards for categories of institutional data.

Since February 2005, the Office of Information Technologies has made some revisions to its IT Policy Framework. Specifically, it has removed the authentication standards for categories of institutional data from the proposed Authentication of IT Resources policy and placed them in a proposed revision of the Responsible Use of Electronic Communications policy. Revised as a data management policy, and renamed Responsible Use of Information Technology Resources, the latter proposed policy includes a set of minimum data security standards, of which the original authentication standards for categories of institutional data have now become a part.

In the meantime, the Office of Information Technologies recognized that the remaining policy specifics of the proposed Authentication of Information Technology Resources constituted already existing practices. As such, OIT requested that the University Policy Office post this policy on an interim basis.

The interim policy therefore expands on the following principles:

  • Types of Cornell electronic identifiers issued for the purpose of authenticating to campus network services and who is eligible to obtain them
  • Rules for issuing Cornell electronic identifiers (IDs) and passwords used to authenticate to campus network services
  • Rules for password use and password complexity
  • Standards for ensuring the confidentiality of passwords used with the Cornell ID

General principles

Authorization to Access Services Possession of a Cornell ID does not, in and of itself, grant access to information or services. An individual's role or status with the University must determine authorization to access services. Unit heads, or their service owners, are responsible for establishing the access policies for their services.

Responsibility of the Individual Any person who is issued a Cornell ID must read and agree to a set of responsibilities. The ID is for use only by the individual to whom it is assigned at the time, and only for the duration of need.

  • The password must never be shared, written down, or stored in electronic form.
  • If a set of shared secrets is used to reset forgotten passwords, they should be known only to the individual to whom the ID is issued.
  • An individual who suspects that his or her password has been compromised should change it immediately via the NetID Management web site
    and report the incident as outlined in University policy:
    5.4.2 Reporting Electronic Security Incidents

Responsibility of the Central IT Organization (CIT) In order to integrate a wider range of applications with Kerberos, on which the central authentication service is based, CIT has implemented a small number of servers which accept the NetID password in encrypted form on behalf of Kerberos. By serving this function these servers become an integral part of the central authentication infrastructure and are referred to as Kerberos proxies. Examples of Kerberos proxies include CUWebLogin, Radius, and CIT's Postoffice servers. A Kerberos proxy must meet minimum standards to mitigate the risk of password theft. These standards do not apply to the great majority of campus services which only make use of the NetID to authenticate users. For example, web-based services integrated with the central authentication service use CUWebLogin to communicate with Kerberos.

Minimum standards for Kerberos proxies:

  • Passwords must be transmitted in encrypted form
  • Passwords must never be stored in clear text on a server
  • The server(s) must be housed in a physically secure facility where access is limited to system personnel or otherwise tracked
  • System administration must be performed by a permanent Cornell staff member in an IT job title
  • The server must adhere to standardized system hardening procedures
  • Multi-factor authentication, such as SecurID, must be used to access the system

Responsibility of the IT Service Owner Use of the central authentication service is recommended wherever possible when deploying new services. When local authentication services are used, the service owner should instruct end users to choose a password that is different from that used with the Cornell-issued ID.

Responsibility of the Sponsor (see Exceptions with Sponsor in the "NetID Eligibility" section below)  The Cornell staff or faculty member sponsoring an individual for a Cornell ID accepts full responsibility for the individual's use of the Cornell network and of any other IT resources. The sponsor will not obtain the password from the individual or any shared secrets intended for the individual to reset a forgotten password. In applying for or creating the ID, the sponsor will indicate the length of time the ID is required.

Application of University Policy University IT policies apply to individuals using Cornell IDs to access campus services. For more information see:

Cornell Information Technology Rights and Responsibilities
www.cit.cornell.edu/policy/responsible-use/

5.1 Responsible Use of Electronic Communications
www.policy.cornell.edu/vol5_1.cfm

5.4.1 Security of Information Technology Resources
www.policy.cornell.edu/vol5_4_1.cfm

5.4.2 Reporting Electronic Security Incidents
www.policy.cornell.edu/vol5_4_2.cfm

5.7 Network Registry
www.policy.cornell.edu/vol5_7.cfm

Violations may be referred to the Cornell Judicial Administrator, the College Academic Integrity Officer, and/or the employee's supervisor for appropriate disciplinary action.

Password Standards Cornell ID passwords must consist of:

  • At least 8 characters
  • At least three of the following four character types:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Symbols found on your keyboard, such as ! * - () : | / ?

Avoid

  • Words found in the dictionary, including recognized names such as Cornell.
  • Names or nicknames of people, pets, or places, or personal information that can be easily found out, such as your address, birthday, or hobbies.
  • Embedding your Cornell ID in your password.
  • Repeated characters, such as AAA or 555
  • Alphabetic sequences, such as abc or CBA
  • Numeric sequences, such as 123 or 321
  • Common keyboard sequences, such as Qwerty or pas.

Implementation of Password Standards The password complexity rules are currently in place technologically for new members of the community: faculty, student and staff. In other words, the authentication mechanisms will not accept new passwords that do not meet these rules. For current members of the community who request a change of password, the same condition applies; they must input a password that meets these requirements. Access to services or applications will not "break" if a user's pre-existing password does not comply with the new rules.

Revocation and Adjustment of Privileges The University ties information technology services to the role or relationship that the individual has with the university. CIT works with the offices of record, sponsors, and service providers to adjust privileges when the individual's role or relationship changes. Upon request from either the Office of Human Resources for employees or the Registrar for students, CIT will expire the NetID. Expiration results in the immediate revocation of all privileges.

Who is Eligible for a Cornell ID

NetID Eligibility NetIDs are issued to members of the Cornell community, affiliates, and exceptions with sponsor. A single individual can have only one NetID.

Members of the community: Students, Faculty, Staff and Alumni NetIDs are automatically issued to faculty and staff upon hire, and to full-time registered students when the deposit is paid. The faculty and staff constituency group includes visiting faculty, professors emeriti, part-time and temporary employees, and retirees who are receiving Cornell benefits. The student category includes part-time extramural students, summer session students, and distance learning students. Upon request alumni can obtain a NetID or have an existing NetID password reset.

Affiliates Employees of institutions affiliated with Cornell University are eligible for NetIDs. Organizations with formal affiliation agreements are limited to:

  • Boyce Thompson Institute
  • Cornell United Religious Work
  • U.S. Nutrition Lab
  • Center for Religion, Ethics and Social Policy
  • Military Sciences and their officers (i.e., ROTC)
  • Cornell Alumni Federation (publishes Alumni Magazine)
  • Palaeontological Research Institute
  • Telluride
  • Cornell Compact

Exceptions with Sponsor Unit heads (or their designees) may sponsor the issuance of a NetID to individuals who do work that furthers the mission of Cornell University and when the NetID is essential to the fulfillment of their responsibilities to the University.

The procedure for obtaining a sponsored NetID is provided at:
www.cit.cornell.edu/identity/netid.html#who

Authority to Issue NetIDs Human Resources Records and the Cornell Information Technologies Contact Center are the only units authorized to issue NetIDs.

Identity Proofing for NetIDs Government-issued photo identification such as a driver's license or passport is necessary to verify the identity of an individual before a NetID is issued. To issue NetIDs to students who have accepted an offer of admission, the individual must have a record in the authoritative database.

Method of Delivering NetID and Password When a new NetID is issued to an individual in a remote location, it must be delivered to the postal address of record. For initial password assignment a one-time PIN number should be used where available, to avoid password disclosure. If a password is disclosed to a third party at the time of NetID issuance, the individual must be instructed to change the password immediately. A password provided in response to an individual who has forgotten his or her password should be sent to the postal address of record, never through the campus mail.

Exceptions are made only under extreme circumstances and only by the Assistant Director for Identity Management. A request should be submitted in writing, stating the reason for the change, to computer_access@cornell.edu

NetID Life Cycle Once a NetID is assigned to an individual, the same sequence of letters and numbers is never reassigned to another individual.

If the individual terminates his relationship to Cornell and then returns, the NetID will be reinstated--i.e. access privileges will be reinstated according to the current relationship.

The sponsored NetID will be subject to an annual renewal process.

GuestID Eligibility A GuestID is used to grant individuals temporary access to GuestID-enabled services. A GuestID should be activated only when a person is not eligible for a NetID as a current member of the Cornell community (staff, student, faculty, alumnus, affiliate), or exception with sponsor. If the individual is issued a GuestID and then becomes eligible for a NetID, the GuestID will be expired. A single individual can have only one GuestID.

Authority to Issue GuestIDs GuestIDs can be self-generated for use with GuestID-enabled services. The self-service application must not be used by members of the campus community to create GuestIDs for other individuals.

Special-purpose Cornell identifiers A Cornell identifier may be established in order to create a special, shared mailbox, or for the purpose of testing applications. Special-purpose IDs cannot be used in place of an ID used to authenticate an individual for access to production resources or data. The password for special-purpose identifiers can be shared among those who require access to the special mailbox or who require the use of the test identifier.

Questions of Eligibility Questions about eligibility for Cornell-issued electronic identifiers should be escalated by submitting a request to computer_access@cornell.edu