Minimum Password Standards

Approved: June 15, 2017

Purpose

Passwords are used as a method to authenticate a user. They consist of a combination of letters, numbers, and special characters that are only to be known by the user for a specific account. Loss of the secret password can result in the account being used by an unauthorized individual to gain access to protected information.

Common methods cyber criminals use to compromise an account can include guessing the password or using social engineering to trick the user into providing their password. Creating a password which is difficult to guess, using different passwords for each account, changing the password often, keeping the password confidential, and awareness of social engineering tactics are measures that are needed to reduce the risk of an account being compromised. As the majority of University information resources are accessed via username and password, the passwords must be strong and confidential. Account holders must protect the confidentiality of their passwords and use strong passwords that cannot easily be guessed or otherwise compromised.

Scope

All account holders must adhere to the UW-Whitewater Minimum Passwords Standards for all systems and applications that access UW-Whitewater data or resources.

Non-UW-Whitewater Net-ID passwords, such as local system passwords, must meet or exceed the UW-Whitewater Net-ID Minimum Password Standards.

All devices and systems connected to the UW-Whitewater which use passwords will require that the passwords fulfill the UW-Whitewater Minimum Password Standards.

If a system does not have the technical capability to meet the UW-Whitewater Minimum Password Standards, the system must be protected by other means, such as, but not limited to, a dedicated firewall, limited network access or multi-factor authentication

Definitions

Account Holder: Faculty, staff, students and other authorized users (as defined by the Network Infrastructure Use Policy) who have been issued a UW-Whitewater credential.

Authentication: The process of establishing confidence in the identify of a user or information system.

Authenticator: The means to confirm the identity of a user, process, or device. Examples include, but are not limited to user password, passphrase, or token.

Protected Data: Any UW-Whitewater data and resources assigned a classification level other than public, as defined in the UW-Whitewater Instructional, Communication, and Information Technology (ICIT) Information Asset Classification Policy.

User ID: Unique identifier assigned to a user or process. Examples include, but are not limited to account names, Net-ID, or certificate.

UW – Whitewater credential: Authentication mechanism or identifier provided by the UW - Whitewater to an authorized individual which grants access to protected information resources. This includes, but is not limited to, Net-IDs, token, biometrics, proximity or access cards, etc.

Password Requirements

UW-Whitewater credentials and accounts which use passwords, and are used for access to UW-Whitewater information resources, require the following minimum password standards:

• Passwords must have a minimum length of at least 14
• Passwords must contain at least one (1) element from each of the following three (3) categories:
  • Upper case letters (eg. A-Z)
  • Lower case letters (eg. a-z)
  • Numeric digits (eg. 0-9)   
• • Passwords may contain at least one (1) non-alphabetic, or special character (e.g. ~ ` @ # $ % ^ & * + = ( ) \ | [ ] { } ? < > )
• Passwords must not contain a series of three or more (3+) recurring characters (e.g. "aaa" or "999")
• • Passwords must not resemble the user ID or name of the account holder
• Password history requirements, such that either:
  • Passwords must not be any of the account's four (4) prior passwords within the previous year (365 days); or 
  • Passwords must not be the same as any of the last 24 passwords for that account   
• Passwords must be changed at least once every 180 days
  • Account holders may change their password prior to the expiration date, as it is not necessary to wait for the password to expire to change the password
  • If the password is not changed within 180 days, the password will expire

Any attempt to create or change a password to one that does not meet the UW-Whitewater Minimum Password Standards will result in rejection of the creation of or change to the password.

Accounts with expired passwords will be denied access by participating systems.

Accounts shall be temporarily locked after seven (7) incorrect password login attempts. Accounts can be automatically unlocked after a period of not less than 30 minutes.

Default passwords for user accounts must be changed either on the first use or, if that is not technically feasible, within thirty days of the first use.

Accounts with access to protected data must re-authenticate after 30 minutes of inactivity.

Individuals with access to protected data must not use a shared account.

Passwords used to access sensitive systems and/or data must meet appropriate standards for those particular systems and/or data.

Account holders must protect their passwords by:

• Not divulging password information to any other entity
• Not using the same password for more than one (1) account
• Not using a password based on, or containing, a dictionary word or other easily-guessed word or series of characters (e.g. “Qwerty”, “123456789”, or “abcdefgh”)
• Not leaving password information unprotected, including but not limited to writing passwords down and leaving in an unsecured area, or communicating a password via telephone, email, or messaging
• Not providing the password in a clear-text authentication method, such as over an unencrypted web page, such as HTTP, or insecure login protocol, such as Telnet or FTP.

If the account credentials of a user or system have been disclosed or otherwise compromised, the password must be changed immediately.

Compliance

The UW - Whitewater reserves the right to:

• Suspend account holders' access to preserve the confidentiality, integrity and availability of the University's network, systems or information
• Periodically audit passwords for compliance

Related Documents

• University of Wisconsin - Whitewater Authentication Policy
• University of Wisconsin - Whitewater Information Asset Classification Policy       
• University of Wisconsin System Administrative Policy 1030 - Information Security: Authentication    
• University of Wisconsin System Administrative Procedure 1030.A - Information Security: Authentication 

Scheduled Review

This document will be reviewed on an annual basis, or as deemed necessary.

Revision/Review Log

Date	Approver	Action	Decription
06/13/2006	University Technology Committee (UTC).	Original Policy	Original policy approved by the University Technology Committee (UTC).
02/03/2008	Executive Tier Committee	Revised	Revised policy approved by the Executive Tier Committee: Updated format to new policy template Updated minimum standards to require eight characters and combination of uppercase, lowercase and numeric characters Added requirement prohibiting series of 3+ sequential characters Added requirement that passwords not resemble Net-ID or name of account holder Added consequences for non-compliance to Related Policy Information Defined policy scope Added exclusion for systems that cannot meet minimum standards Added contact information Defined account holders Defined responsibilities
06/15/2017		Revised	Updated to include references and minimum password requirements contained in the September 14, 2016 version of the University of Wisconsin System Administrative Information Security Authentication Policy (1030) and Procedure (1030.A) documents.  Changes include: Updated minimum password length from 8 to 12 Updated password composition to Include non-alphabetic characters Updated password history requirements Added account lockout after seven (7) invalid password attempts Added requirement to change default passwords Added requirement for inactivity timeout period Added requirement for not using a shared account Added requirement for immediately changing the password of a disclosed or compromised account credential Added requirement for not communicating a password via telephone, email or messaging Added requirement for not using the same password for more than one (1) account   Other changes to the document include: Included additional definitions Added Related Documents section

Title:   University of Wisconsin - Whitewater Minimum Password Standards
Effective Date:   June 15, 2017
Responsible Officer:   UW-Whitewater Assistant Vice Chancellor / CIO
Responsible Office:   UW-Whitewater ICIT
Last Reviewed:   June 15, 2017
Version:   004