Information Security Standards



User authentication is a means to control who has access to information resources. The confidentiality, integrity, and availability of information can be lost when access is gained by a non-authorized entity. This, in turn, may result in loss of revenue, liability, loss of trust, or embarrassment to the University. Authentication factors include something you know, something you have, and something you are. Using multiple factors in authentication increases the certainty of a user’s identity.


This procedure applies to all University information resources. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with password and authentication issues. The intended audience is any University employee, student, guest or visitor that uses information resources requiring authentication.


1. All systems shall have passwords that conform to the following password rules:

a. Not contain all or part of the user's account name

b. Be at least eight characters in length

c. Contain characters from three of the following four categories:

• English uppercase characters (A through Z)

• English lowercase characters (a through z)

• Base 10 digits (0 through 9)

• Non-alphabetic characters (for example, !, $, #, %)

d. Password history must be maintained in a manner that prohibits the 10 previous passwords from being reused.

e. Passwords expire after 120 days.

f. Stored passwords should be hashed with an appropriate algorithm.

2. Passwords must be treated as confidential information. Passwords should not be revealed to anyone.

3. Passwords should never be transmitted as plain text, unless the account is used only for accessing publicly accessible data.

4. If the security of a password is in doubt, the password should be changed immediately.

5. If the password has been compromised, the incident should be reported to the Information Security Officer.

6. Users should not circumvent password entry with auto logon, application remembering, embedded scripts, or hard-coded passwords in client software for systems that process/store mission critical and/or confidential data. Exceptions may be made for specific applications (like automated backup) with the approval of the information resource owner.

7. Computing devices should not be left unattended without enabling a password protected screensaver or automatic logoff.

8. Password management and automated password generation should have, where the capability exists, the capability to maintain auditable transaction logs containing information such as:

• Time and date of password change, expiration, administrative reset;

• Type of action performed; and,

• Source system (e.g., IP and/or MAC address) that originated the change request.

Systems without this capability must be approved and documented by the Chief Information officer or designee.


Last Updated March 31, 2014