====== Password Policy ====== ===== General ===== Protecting the password from unauthorized use is the responsibility of the account owner. If a password is compromised, the owner should change it immediately and report the event to AceLab IT. Slack is a totally inappropriate way to request a password change or any configuration change. IT has a requirement to manage and track changes. All requests need to be put into Redmine: https://redmine.cbrain.mcgill.ca/ ===== MCIN Password ===== A MCIN employee can change their MCIN password at any time https://ace-ldap-1.cbrain.mcgill.ca/fusiondirectory/recovery.php by entering the email address the directory has for them. Periodically changing this password is strongly recommended. This password need to be 10 characters long. ===== Local Passwords on New VMs ===== Virtual machines often have local accounts, for example "lorisadmin". When these accounts are set up, a temporary password will be set and communicated to the requester by Slack, text message, telephone or paper, never by email or in the ticket which requested the account. The requester will be forced to change the password on first login. It is the responsibility of the requester to *securely* communicate the password to any other users who need to use it. Sharing accounts is discouraged but is sometimes necessary with our current infrastructure. On a personal development VM, the owner can change their password as often as they like. ===== Forgotten or Lost Local Passwords ===== If a local password is forgotten or lost (these things happen), it can be reset as follows: - the user puts a ticket in Redmine saying which account needs to be reset on which server/VM and how they want the new password to be communicated to them (Slack, text message, phone call, or paper). - a member of IT will change the password to a temporary one and communicate it to the user - the user logs in with the temporary password and the system will force them to change the password (the password complexity requirements vary by system) - if there are other users who use this account, the user *securely* communicates the password to them. The best ways are in person or by secure text message (e.g. Signal). Do not use email to send passwords and never put the password in the ticket.
