Passwords are used as a method to authenticate a user. They consist of a combination of letters, numbers, and special characters that are only to be known by the user for a specific account. Loss of the secret password can result in the account being used by an unauthorized individual to gain access to protected information.
Common methods cyber criminals use to compromise an account can include guessing the password or using social engineering to trick the user into providing their password. Creating a password which is difficult to guess, using different passwords for each account, changing the password often, keeping the password confidential, and awareness of social engineering tactics are measures that are needed to reduce the risk of an account being compromised. As the majority of University information resources are accessed via username and password, the passwords must be strong and confidential. Account holders must protect the confidentiality of their passwords and use strong passwords that cannot easily be guessed or otherwise compromised.
All account holders must adhere to the UW-Whitewater Minimum Passwords Standards for all systems and applications that access UW-Whitewater data or resources.
Non-UW-Whitewater Net-ID passwords, such as local system passwords, must meet or exceed the UW-Whitewater Net-ID Minimum Password Standards.
All devices and systems connected to the UW-Whitewater which use passwords will require that the passwords fulfill the UW-Whitewater Minimum Password Standards.
If a system does not have the technical capability to meet the UW-Whitewater Minimum Password Standards, the system must be protected by other means, such as, but not limited to, a dedicated firewall, limited network access or multi-factor authentication
Account Holder: Faculty, staff, students and other authorized users (as defined by the Network Infrastructure Use Policy) who have been issued a UW-Whitewater credential.
Authentication: The process of establishing confidence in the identify of a user or information system.
Authenticator: The means to confirm the identity of a user, process, or device. Examples include, but are not limited to user password, passphrase, or token.
Protected Data: Any UW-Whitewater data and resources assigned a classification level other than public, as defined in the UW-Whitewater Instructional, Communication, and Information Technology (ICIT) Information Asset Classification Policy.
User ID: Unique identifier assigned to a user or process. Examples include, but are not limited to account names, Net-ID, or certificate.
UW – Whitewater credential: Authentication mechanism or identifier provided by the UW - Whitewater to an authorized individual which grants access to protected information resources. This includes, but is not limited to, Net-IDs, token, biometrics, proximity or access cards, etc.
UW-Whitewater credentials and accounts which use passwords, and are used for access to UW-Whitewater information resources, require the following minimum password standards:
Any attempt to create or change a password to one that does not meet the UW-Whitewater Minimum Password Standards will result in rejection of the creation of or change to the password.
Accounts with expired passwords will be denied access by participating systems.
Accounts shall be temporarily locked after seven (7) incorrect password login attempts. Accounts can be automatically unlocked after a period of not less than 30 minutes.
Default passwords for user accounts must be changed either on the first use or, if that is not technically feasible, within thirty days of the first use.
Accounts with access to protected data must re-authenticate after 30 minutes of inactivity.
Individuals with access to protected data must not use a shared account.
Passwords used to access sensitive systems and/or data must meet appropriate standards for those particular systems and/or data.
Account holders must protect their passwords by:
If the account credentials of a user or system have been disclosed or otherwise compromised, the password must be changed immediately.
The UW - Whitewater reserves the right to:
This document will be reviewed on an annual basis, or as deemed necessary.
|06/13/2006||University Technology Committee (UTC).||Original Policy||Original policy approved by the University Technology Committee (UTC).|
|02/03/2008||Executive Tier Committee||Revised||
Revised policy approved by the Executive Tier Committee:
Updated to include references and minimum password requirements contained in the September 14, 2016 version of the University of Wisconsin System Administrative Information Security Authentication Policy (1030) and Procedure (1030.A) documents. Changes include:
Other changes to the document include:
Title: University of Wisconsin - Whitewater Minimum Password Standards
Effective Date: June 15, 2017
Responsible Officer: UW-Whitewater Assistant Vice Chancellor / CIO
Responsible Office: UW-Whitewater ICIT
Last Reviewed: June 15, 2017
Global policies are maintained to set guidelines expected behavior of all campus community members while using shared network and computer resources.