University Password Standards

Purpose

The purpose of this document is to provide a set of minimum security standards governing the use of passwords for University of Connecticut information technology systems. This document is intended to offer minimum standards for system and application administrators and developers. All parties are encouraged to apply more stringent controls than those outlined below in accordance with the security needs of the system and the information being stored or accessed. Regulatory, compliance, or grant requirements supersede any standards defined below.

 

Standards

Scope and Intent

This section is intended to provide guidance for systems and applications that utilize a username and password for authentication and authorization. For many systems, these settings are customizable and must be configured before a system goes into production or stores institutional information. Systems that utilize a University of Connecticut NetID for authentication can assume these requirements are met as part of the service provided.

Password requirements for standard accounts

  • Passwords may never be stored in plain text. Passwords must be stored using industry standard hashing and salting methodologies.
  • Passwords must be encrypted and/or hashed while in transit to the authenticating system.
  • Passwords should not be displayed in plain text as they are being entered.
  • Passwords must adhere to the following complexity rules:
    • Passwords must be at least twelve (12) characters long.
    • The password must contain characters from three of the following four categories:
      • Upper Case: A B C ...
      • Lower Case: a b c ...
      • Numbers: 1 2 3 ..
      • Symbols: + - _ = . @ ? ! . . .
    • The password cannot contain any three consecutive characters that are part of your name or NetID.

 

Password requirements for administrative accounts

In addition to the requirements for standard accounts:

  • Passwords may not be re-used for a period of 12 months.
  • Accounts must use Multi-Factor Authentication (MFA) where possible.

 

Password requirements for service accounts

Service based accounts are those used for automation, monitoring, and other non-interactive tasks not performed by an individual.

In addition to the requirements for standard accounts:

  • Passwords must be at least 16 characters.
  • User IDs and passwords shall never be used through an interactive logon mechanism except for testing/setup purposes.
  • Service accounts must have a responsible point of contact or sponsor.
  • Service accounts must be reviewed annually to ensure they are properly used, secured, and necessary.

 

Initial Account Provisioning

Newly provisioned user accounts must have a secure password set by the account holder. This may be accomplished via an activation method that allows the account holder to set a password (before which the account is not usable), secure transmission of an initial password to the account holder, a small expiration window for an initial password, and/or manual intervention of support resources.

If an initial account password is set before account handoff to the account holder:

  • Account holders must have the ability to either activate an account and set a password before use or require users to set a password during initial access to a system. Service accounts may be considered exempt from this requirement.
  • All vendor-supplied passwords, including service accounts, must be changed as soon as possible after system/application deployment and before becoming operational.

 

Password Protection

To ensure that the intended account holder is the authorized holder of a password or credential, distribution or reset should occur only after reasonable effort has been made to verify the identity of the account holder.

Individuals should be confirmed as the intended recipient by contact via an authorized work phone number, verification of personal data, photo ID, or similar means.

Where possible, passwords should be maintained by the individual through automated means that leverages either pre-existing answers to a set of questions or through the use of a secondary channel meant to confirm someone’s identity, such as a one-time password sent to a registered person’s device. If an automated process is not available, initial or reset passwords may be communicated via:

  • Mail (sealed envelope)
  • Encrypted file transfer (e.g., Filelocker or similar)
  • Verbal conversation, either a phone call to authorized work telephone number or in-person communication

 

Exceptions

It is recognized that software applications offer many varied capabilities with respect to authentication, authorization, role-based access control, password complexity, account management, and auditing of these components. Many examples of software exist that will not be able to conform to some aspect of the prescribed standards.

Despite these deficiencies, such software may be necessary for performing critical functions for the University. Reasonable efforts should be made to improve the security posture of such software by enhancing system configurations over time, engaging with vendors, and developing auditing capabilities when possible and feasible. It is encouraged that administrators contact the Information Security Office (ISO) for evaluation of systems, applications, or accounts lacking the technical capability to meet the requirements below; the ISO will offer guidance for selecting the best and most secure configuration within the limitations of the given system.