On September 1, 2027, there will be changes to Penn's IT Security Policy regarding the storage and use of passwords in scripted and/or programmatic authentication scenarios. See below for details.
Who's Affected
- Developers and system administrators
Scope of the Policy Changes
Applies to passwords/secrets used for interactive and non-interactive authentication, such as:
- Automated processes
- Application integration points
- API credentials
- Private keys and passwords used in automated tasks
Interactive Authentication Requirements
- Devices and services that utilize passwords for authentication must be secured with strong passwords or passphrases
- For those accessing "high-risk” data, strong authentication is mandatory
- Passwords must be encrypted both in transit and at rest
- Whenever possible, PennKey should be used for user authentication; if PennKey is not an option, passwords must be cryptographically hashed and salted according to industry standards
Non-Interactive Authentication Requirements
- Policy applies to secrets used for non-interactive authentication, such as API credentials, SSH private keys, client keys, or passwords
- These secrets must be encrypted both in transit and at rest whenever possible
- Unencrypted secrets should never be hard-coded into the application’s source code or stored in the source code repository, except when the application handles only Low-Risk data.
- All application integration points must require authentication using a strong password, client certificate, SSH public key, Kerberos principal, or an equally robust method
Examples of Compliance
- Cloud workloads where credentials are encrypted before use
- Applications retrieving secrets from secure vaults or encrypted storage
Security Best Practices
- Do not embed passwords in source code
- Avoid storing passwords in version control systems
Benefits
- Improves the overall security posture around automation and application authentication
- Protects against modern password attacks
Help & Resources
- Developers and system administrators may contact ISC Client Care for issues
- See the IT Policy Committee website
- See the "Authentication" and "Passwords" sections on the IT Security Policy page