Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Further, users must leverage multi-factor authentication (two-step verification) wherever supported. (Harvard systems behind HarvardKey authentication will meet our length, complexity, and multi-factor standards.)

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Protect Passwords

U2: All passwords and other access credentials must be protected. They must never be stored in plaintext and must not be stored directly in scripts or configuration files.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Malware detection and endpoint detection and response

SA10: All servers must run malware detection and endpoint detection and response software with up-to-date signature files, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Stored passwords

SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.

Configure Devices

All devices must be configured for secure storage, transport, and disposal of confidential information.

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. Further, they must enforce multi-factor authentication where technically possible. Complexity and reset frequency must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):... Read more about Complex passwords