Password Passphrase Standard

Password Passphrase Standard

Abstract:
This standard defines password/passphrase requirements for users, servers, and applications at UAB that use BlazerIDs.
Effective Date:
1/1/2014
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

UAB Password / Passphrase Standard

 

 

Related Policies

Acceptable Use Policy
Data Protection and Security Policy
UAB IT Security Practices

 

Related Forms

BlazerID Application Registration Form
IT Standards Exception Request Form

 

 

Purpose:

The purpose of this standard is to define password / passphrase requirements for users, servers, and applications at UAB.

 

Scope:

This standard applies to all users and systems at UAB which utilize BlazerIDs.

 

Standards:

  1. Length:  All account passwords / passphrases on systems leveraging BlazerIDs shall be a minimum of 8 characters and a maximum of 32 characters.  Other account passwords / passphrases not using BlazerIDs shall be a minimum of 8 characters.

  2. Lockout:  After 6 failed login attempts, accounts should be disabled and locked out for at least 30 minutes where feasible.

  3. Expiration:  Passwords / passphrases shall expire according to the table below:

    ​​Category ​​Interval Category​ ​Interval​ ​Category​ ​Interval​
    ​Employees​ ​​90 days ​Administrative ​90 days ​​Students ​180 days
    ​​Resource ​​90 days ​Temporary ​90 days ​Guest (XIAS) ​​90 days
     
    When there is a question on which expiration interval applies, the more restrictive interval shall be used.

  4. History:  Password / passphrase history shall be kept to prevent the previous six (6) passwords / passphrases from re-use.

  5. Caching:  Applications or Systems that utilize BlazerIDs shall not cache BlazerID passwords / passphrases, even if hashed or otherwise encrypted without an approved exception.  (See attached Exception Request Form.)  Individual devices such as smartphone, tablets, etc. are not included.

  6. Complexity:  Passwords / passphrases shall contain at least 1 character from three of the following ASCII character sets:  lowercase alphabetic, uppercase alphabetic, numbers, and symbols.

  7. Logging:  Systems shall log successful and failed logon attempts and retain such logs for a minimum of 90 calendar days.

  8. Screen Lock:  A computer screen locking feature is recommended to be enabled and configured to lock the computing device after a period of inactivity not longer than 15 minutes.  If enabled, access to the device shall be granted only after a valid password / passphrase is entered or provided.

  9. Unused Accounts:  Student accounts unused for more than 180 days shall be disabled.  All other accounts unused for more than  90 days shall be disabled.

  10. Registration:  Applications that leverage BlazerID authentication through a central mechanism/system must be registered with UAB IT.  (See attached BlazerID Application Registration Form.)

  11. Encryption:  All credential usage shall be encrypted while in transit.

 

Enforcement:

The Office of the Vice President for Information Technology is responsible for this standard and will programmatically enforce it through the UAB IT Enterprise Identity Management (IDM) organization.  Exceptions for authorized non-compliance to the UAB Password / Passphrase Standard must be documented (in writing) and approved by the requestor's departmental IT representative, the requestor's Dean and/or Vice President, and the UAB Enterprise Information Security Council (chaired by the UAB Chief Information Security Officer.)  Exceptions will only be granted in situations where risks are appropriately mitigated.

 

Approved by:

E. Douglas Rigney, PhD, Vice President of Information Technology

December 13, 2013