Standard for Identification, Authentication, and Passwords
Introduction
User authentication is a means to control who has access to information resources. The confidentiality, integrity, and availability of information can be lost when access is gained by a nonauthorized entity. This, in turn, may result in loss of revenue, liability, loss of trust, or embarrassment to the university. Authentication factors include something you know, something you have, and something you are. This standard defines the minimum requirements for authentication.
Minimum Password Standards
All systems shall have passwords that conform to the following password rules:
- Not contain any part of the user's account name, PIDM, SSN, or date of birth
- Be at least eight characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example: !, $, #, %)
Privileged Account Password Standard
Accounts with privileged or administrative access to a resource will conform to the standard above,but have a minimum length of 12 characters
Service Account Password Standard
Service account passwords may be set to never expire but must have a minimum password length of 20 characters and must be randomly generated using the complexity standards above.
Service account passwords must be changed when any employee with access to those passwords is terminated from employment with the university.
Windows Local Administrator Passwords
Local administrator passwords on university systems will be different on each system. These passwords must comply with the minimum password standards and be changed every 120 days.
Password History
Password history must be maintained in a manner that prohibits the 10 previous passwords from being reused.
Password Expiration
Passwords must expire after 120 days.
Password Confidentiality
Stored passwords must be encrypted or hashed with an appropriately effective algorithm.
Passwords must be treated as confidential information. Passwords may not be shared with or revealed to anyone.
Passwords should never be transmitted as plain text.
If the security of a password is in doubt, the password must be changed immediately.
If a password has been compromised, the incident should be reported to the Information Security Office immediately.
Passwords may not be embedded in scripts, or hard-coded in client software for systems that process/store critical and/or confidential data. Exceptions may be made for specific applications (like automated backup) with the approval of the information resource owner.
New Password Issuance
Passwords created by the help desk or other password-issuing entity must be completely random and not based on any information about the user. These passwords must conform to the minimum password standards described above.
Automated password-issuing systems must generate random passwords. These passwords must conform to the minimum password standards described above.
Users of university systems must be forced to change their password upon first login to the system after a new password has been issued.
Failed Logon Response
University resources must be configured, where possible, to lock out users after 10 unsuccessful login attempts
Upon being locked out, the user must not be automatically unlocked for a minimum of 15 minutes.
Screen and Service Locking
Computing devices must have timed screen-lock or auto logout configured to engage after a period of 30 minutes of inactivity. The exception to this is presentation and classroom systems where a screen lock would cause disruption. In this case, the timer may be extended to minimize disruption.
Self-Service Password Reset
Self-Service password management tools must use a minimum of one of the following factors to authenticate users attempting to reset passwords. These factors may include, in preferential order:
- Multifactor authentication mechanism (physical token, Duo, Azure MFA, etc.)
- Token sent via text message to a pre-configured mobile number
- Token sent via email to a pre-configured secondary email address
- Pre-configured security questions
Systems relying on security questions to reset passwords must have a brute-force prevention mechanism in place.
Self-service password management and automated password generation tools should have, where the capability exists, auditable transaction logs containing information such as:
- Time and date of password change, expiration, administrative reset;
- Type of action performed; and,
- Source system (e.g., IP and/or MAC address) that originated the change request.
Manual Password Reset
Users requesting a password reset must be positively identified via one of the following mechanisms, in preferential order:
- Visual verification of University or government issued identification card
- Verification of preconfigured security questions
- Verification of personal information (last 4, address, phone number)