Local accounts
Department policy on use of local accounts on department systems
Reviewed by Brian White, 9/13/2012
This page describes department policies with regard to the use of local accounts on department computers. In general, they should be avoided. This article tells about problems with local accounts, what to do if you already have them, and it provides some alternatives.
Problems with local accounts
The biggest problem with local accounts is that they are not subject to the same password complexity or expiration rules that govern our other accounts. Users have to choose to use good passwords, and they don't always do that. As a result, on several occasions hackers have compromised local accounts by guessing their passwords. They were then able to use the compromised systems as a base of attack on other University systems.
Since local accounts are not guaranteed to comply with campus or department policies for password complexity or expiration, using these accounts should be avoided except when there is no viable alternative. However, we recognize that there may well be cases where a local account is necessary. We in Computer Services are most concerned about local accounts on systems that we administer, because we are responsible for these systems and because the systems we administer are trusted to some extent by other systems in the department and on campus.
Local accounts that 1) reside on department-supported systems that reside in the department (as opposed to laptops or home systems), and 2) are set up for people who do not have department accounts, are particularly egregious, since they are not only security issues, but they also are a way of avoiding Computer Services fees, which help to pay staff salaries.
If you already have local accounts
If you have already set up local accounts on department systems, please either delete them or let Computer Services know about them. We'll need to know the name and operating system of the computer, as well as the name and the purpose of the account. If the account does not have a strong password, please change it as soon as possible. Department standards for strong passwords are given at http://www.cs.unc.edu/cms/help/help-articles/webpass. As indicated above, our standards are the same as campus standards, except the department requires at least a 12-character password that you change every 12 months. (Just think "twelve and twelve".) Campus passwords must be at least eight characters, and must be changed every 90 days. Research shows the department's standard is more secure.
Alternatives to local accounts
To reduce the need for local accounts on department-administered systems, we are now providing free temporary and special-purpose accounts. A temporary account may be requested by any of our users for use in department-related business (research, education, or service). Special-purpose accounts may be needed to run a particular piece of software or for various other reasons. The advantage of both the temporary and special-purpose accounts that are set up by Computer Services is that they are subject to the same password rules as our other accounts, and hence they are not an additional security threat. For details on requesting and using these accounts, see http://www.cs.unc.edu/cms/help/help-articles/temporary-and-special-purpose-accounts.