Minimum Password Standards

Policy Statement

Account holders must protect the confidentiality of their passwords and use strong passwords that cannot easily be guessed or otherwise compromised.

Reason for Policy

  • The purpose of this policy is to provide guidance to account holders regarding passwords in order to protect individual and University information and resources.
  • Access to and protection of University information resources should be consistent with the mission of the University. Since the majority of University information resources are accessed via username and password, passwords must be strong and confidential.

Policy Requirements

Net-ID passwords must meet the following minimum standards:

  • Passwords must be at least eight (8) characters long.
  • Passwords must contain at least one (1) character from each of the following categories:
    • Upper case letters (A-Z)
    • Lower case letters (a-z)
    • Numeric digits (0-9)
  • Passwords must not contain a series of 3+ recurring characters (e.g. "aaa" or "999")
  • Passwords must not resemble the Net-ID or name of the account holder.
  • Passwords must not be any of the account's four (4) prior passwords.

Account holders must change their Net-ID password at least once every 180 days.

  • Account holders may change their password at any time. It is not necessary to wait for expiration.

Non Net-ID passwords (such as local system passwords) must meet or exceed the Net-ID Minimum Password Standards.

Passwords used to access sensitive systems and/or data must meet appropriate standards for those particular systems and/or data.

Related Policy Information

The University reserves the right to:

  • Suspend account holders' access to preserve the confidentiality, integrity and availability of the University's network, systems or information
  • Periodically audit passwords for compliance

Consequences for non-compliant passwords include:

  • Attempts to create or change a password to one that does not meet the Minimum Password Standards will result in rejection of the change to the password.
  • Accounts with expired passwords will be denied access by participating systems.

Scope and Exclusions

  • All account holders must adhere to the Minimum Passwords Standards for all systems and applications that come into contact with University resources.
  • All devices and systems connected to the University network must require passwords meeting the Minimum Password Standards and, if possible, technically enforce them.
    • If a system cannot meet the Minimum Password Standards, the system must be protected by other means, such as, but not limited to, a dedicated firewall, limited network access or multi-factor authentication.

Office / Unit NameContact Name, TitlePhoneEmail
ICIT / CIO Office Elena Pokot, CIO Ext. 5088 icit-office@uww.edu
ICIT Security Office Christian Schreiber, IT Policy and Security Officer Ext. 7792 security@uww.edu
ICIT HelpDesk Lisa Rowland, HelpDesk Manager Ext. HELP (4357) helpdesk@uww.edu
Definitions
WordDefinition
Account Holder Faculty, staff, students and other authorized users (as defined by the Network Infrastructure Use Policy) who have been issued a UW-Whitewater Net-ID.
Responsibilities
Area of ResponsibilityResponsibility
ICIT implements the technical infrastructure that enables and enforces the Minimum Password Standards
ICIT Security Office Facilitates the development of policies and develops procedures and guidelines, which manage password usage and practices.
Account Holders Account holders must protect their Net-ID passwords by:
  • Not divulging password information to any other entity.
  • Not leaving password information unprotected (such as writing passwords down and leaving in an unsecured area).
  • Not using a password based on a dictionary word or other easily-guessed word.
History
DateRevision(s)
June 13, 2006 Original policy approved by UTC
February 3, 2008 Revised policy approved by Executive Tier Committee:
  • Updated formate to new policy template
  • Updated minimum standards to require eight characters and combination of uppercase, lowercase and numeric characters
  • Added requirement prohibiting series of 3+ sequential characters
  • Added requirement that passwords not resemble Net-ID or name of account holder
  • Added consequences for non-compliance to Related Policy Information
  • Defined policy scope
  • Added exclusion for systems that cannot meet minimum standards
  • Added contact information
  • Defined account holders
  • Defined responsibilities

Title: Minimum Password Standards
Effective Date: February 5, 2008
Responsible Officer: Assistant Vice Chancellor / CIO
Responsible Office: ICIT
Last Reviewed: February 5, 2008
Version: 003