IT Password Standards
Overview
This standard addresses the authentication requirements for university accounts to ensure the confidentiality, integrity, and availability of university data and technology resources. Varying requirements reflect the current mitigation with multi factor authentication (MFA) as well as known risks.
Policy Reference
- APM 30.15 Password and Authentication Policy
- APM 30.10 Identity and Access Management Policy
- APM 30.11 University Data Classification and Standards
Scope
These standards establish password requirements for all university faculty, staff, students, and affiliates accessing, storing, and processing UI data or using UI technology resources at any data classification level. Effective date: April 16, 2019.
Standards
- Length and Expiration Standards for Individual Accounts
- Low Risk (ex. Student) password requirements for length and expiration:
Authentication Factors Minimum characters Expiration With Duo Mobile or hardware factors only 12 characters indefinite With All MFA types 12 characters 400 days - Moderate Risk (ex., most Faculty & Staff) password requirements for length and expiration:
Authentication Factors Minimum characters Expiration With Duo Mobile or hardware factors only 12 characters indefinite With All MFA types 12 characters 400 days - High Risk password requirements for length and expiration:
Authentication Factors Minimum characters Expiration With Duo Mobile or hardware factors only 12 characters 1095 days With All MFA types 12 characters 90 days
- Low Risk (ex. Student) password requirements for length and expiration:
- Length and Expiration for Shared/Functional/Privileged Accounts
- Shared account password requirements for length and expiration:
Risk Authentication Factors Minimum characters Expiration Low With Duo Mobile or hardware factors only 12 characters indefinite Low With All MFA types 12 characters 400 days Moderate or High With Duo Mobile or hardware factors only 12 characters 1095 days Moderate or High With All MFA types 12 characters 90 days - Functional account password requirements for length and expiration:
Risk Authentication Factors Minimum characters Expiration Any With Duo Mobile or hardware factors only 30 characters 1825 days Any MFA Blocked 30 characters 1825 days - Privileged account password requirements for length and expiration:
Risk Authentication Factors Minimum characters Expiration High With Duo Mobile or hardware factors only, or MFA Blocked 12 characters 400 days
- Shared account password requirements for length and expiration:
- Password aging, history, and dictionary requirements
- New passwords may be immediately changed after previous change.
- Password history, or limits on reuse of previous passwords:
Systems must be configured to prevent re-use of at least the last 24 passwords. Where systems do not support this, the system must be reviewed and approved by the ITS Security Office and any identified risks appropriately mitigated. - Dictionary requirements:
- Standard dictionary checks on passwords are no longer required for individual UI passwords protected by MFA.
- Where systems support such use, dictionaries of known bad passwords must be checked to prevent use of susceptible passwords.
- Multifactor authentication requirements for systems
System Additional Authentication Factors Required High Risk Yes Moderate Risk Yes, where password is Internet-exposed Low Risk At discretion of system owner - Hardware factors currently supported
- HOTP tokens provided and assigned by ITS, including those branded by Duo or Feitian
- Universal 2nd Factor (U2F) tokens supported by Duo, including Yubikeys
- Mobile devices, including mobile phones and tablets accessing or processing UI data, or providing local authentication to UI data classified as Moderate or High risk, are required to enforce a PIN and/or biometric authenticator
- Mobile device password/PIN standards shall be:
- A minimum of 6 digits or characters
- No allowed repeating or sequential PINs (i.e., 123456, 999999, etc.)
- Automatically lock or erase after multiple bad authentication attempts
- ITS requires use of ITS-managed Application Protection, or Mobile Device Management to ensure security of UI data and meet this and other requirements, where data is processed at the Moderate or High classification level.
- Where laptop computers are configured with ITS-approved biometric authentication, they shall also be required to meet ITS mobile device standards for authentication with PIN.
- Approved biometrics include, but are not limited to:
- Apple Face ID or Fingerprint
- Microsoft Hello Face ID or Fingerprint, including the convenience PIN
- Android biometrics
- Mobile device password/PIN standards shall be:
Other References
- (January 2016)
- (April 2013)
- version 7
Definitions*
Privileged Account | Individual account utilized for elevated access to systems or data, which may include authority to make changes to access permissions, roles, security configuration, or non-public data of other users. (APM 30.10) |
Individual Account | Primary account assigned to a single individual for access to technology resources, including interactive logon to computers, email, VPN, Banner, or other U of I resources. (APM 30.10) |
Functional Account | Account used by applications and processes and not interactively by end users. (APM 30.10) |
Shared Account | Account used or shared where multiple users know the password or otherwise use the account for interactive logon. (APM 30.10) |
Remote Access | Access to an information system communicating through an external network (Internet) |
Local Access | Access to an information system directly and not through a network |
Multifactor Authentication | Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric) |
Security Functions | Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data |
*For further clarification, refer to APM or NIST SP800-171.
Standards Owner
UI Information Technology Services (ITS) is responsible for the content and management of these standards.
REVISION HISTORY
VERSION | AUTHOR(S) | DATE | NOTES |
---|---|---|---|
V1 | M. Parks, D. Miller, D. Jacob | 3/6/19 | Original standards document. |