Body
To maintain the security of university systems, all passwords must meet the following standards:
Password Creation Requirements
- Must not include personal identifiers (e.g., username, UIN, birthdate, phone number)
- Must avoid dictionary words, repeatable patterns, or acronyms in any language
- Must be at least eight (8) characters in length
- Must contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Must be changed at first login if system-generated
Complexity requirements are enforced when passwords are changed or created.
Password Management
- Must be changed at least every 365 days for sensitive systems
- Forgotten passwords must be replaced, not reissued
- May not be reused from the previous 10 passwords.
- Identity verification is required before changing a password
Prohibited Practices
- Do not use auto-logon, password remembering, or hard-coded credentials
- Do not leave devices unattended without a password-protected screensaver or logging off
- Do not share or write down passwords
Account Security
- Systems will lock accounts after a limited number of failed login attempts
- Report changes in job duties or employment status immediately to update access
- Change passwords immediately if compromise is suspected and notify system administrators
Additional Information
- Passwords are classified as confidential information under System Regulation 29.01.03
- Exceptions to these standards must be documented and approved by the department head and Chief Information Security Officer (CISO)
Contact
For help or questions, contact Innovative Technology Solutions at 254.968.9885.