Login   |   Secure Purdue > Information Security Standards

Login Process

  1. Unique User-ID and Password Required

    All users must have their identity verified with a unique User-ID and secret password--or by other means which provide equal or greater security--prior to being permitted to use computers connected to the Purdue network. This policy does not imply single sign-on.

    Audience: End Users, Management, Technical

  2. Disclosure of Incorrect Log-In Information

    When logging into a system, if any part of the log-in sequence is incorrect, the user must not be given specific feedback indicating the source of the problem. Instead, the user must simply be informed that the log-in process was incorrect.

    Audience: Technical

  3. Appropriate use of System Log-In Banner

    Every log-in process for multi-user computers must include a log-in banner. All log-in banners on network-connected systems must simply ask the user to log-in, providing prompts as needed. Specific information about the organization, the computer operating system, the network configuration, or other internal matters must not be provided in the log-in banner until a user has successfully provided both a User-ID and a password. The following warning banner must be used when users connect to computer networks "Unauthorized access or misuse of computer resources or disclosure of sensitive information may result in disciplinary or legal action."

    Audience: Technical

  4. Leaving Computing Systems and Personal Computers Connected to the Network Unattended

    Staff using Purdue computers and/or workstations must activate and utilize a password protection method to secure their workstation. It is expected that any user of one of these devices will activate a lock facility prior to leaving the machine unattended

    Audience: End Users, Management, Technical

  5. Limit on Consecutive Unsuccessful Attempts to Log-In.

    To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect log-in ID or password must be strictly limited. After three unsuccessful attempts to enter a log-in ID or password, the involved User-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than 15 minutes, or (c) if dial-up or other external network connections are involved, disconnected.

    Audience: Technical