University of Idaho - I Banner
students walk on University of Idaho campus

Visit U of I

Learn about the many reasons the University of Idaho could be a perfect fit for you. Schedule Your Visit

campus full of students

U of I Retirees Association

UIRA has a membership of nearly 500 from every part of the University. Learn about UIRA

UI Password Standards

Overview

This standard addresses the authentication requirements for university accounts to ensure the confidentiality, integrity, and availability of university data and technology resources. Varying requirements reflect the current mitigation with multi factor authentication (MFA) as well as known risks.

Policy Reference

  • APM 30.15 Password and Authentication Policy
  • APM 30.10 Identity and Access Management Policy
  • APM 30.11 University Data Classification and Standards

Scope

These standards establish password requirements for all university faculty, staff, students, and affiliates accessing, storing, and processing UI data or using UI technology resources at any data classification level. Effective date: April 16, 2019.

Standards

  1. Length and Expiration Standards for Individual Accounts
    1. Low Risk (ex. Student) password requirements for length and expiration:
      Authentication Factors Minimum characters Expiration
      With Duo Mobile or hardware factors only 12 characters indefinite
      With All MFA types 12 characters 400 days
    2. Moderate Risk (ex., most Faculty & Staff) password requirements for length and expiration:
      Authentication Factors Minimum characters Expiration
      With Duo Mobile or hardware factors only 12 characters indefinite
      With All MFA types 12 characters 400 days
    3. High Risk password requirements for length and expiration:
      Authentication Factors Minimum characters Expiration
      With Duo Mobile or hardware factors only 12 characters 1095 days
      With All MFA types 12 characters 90 days
  2. Length and Expiration for Shared/Functional/Privileged Accounts
    1. Shared account password requirements for length and expiration:
      Risk Authentication Factors Minimum characters Expiration
      Low With Duo Mobile or hardware factors only 12 characters indefinite
      Low With All MFA types 12 characters 400 days
      Moderate or High With Duo Mobile or hardware factors only 12 characters 1095 days
      Moderate or High With All MFA types 12 characters 90 days
    2. Functional account password requirements for length and expiration:
      Risk Authentication Factors Minimum characters Expiration
      Any With Duo Mobile or hardware factors only 30 characters 1825 days
      Any MFA Blocked 30 characters 1825 days
    3. Privileged account password requirements for length and expiration:
      Risk Authentication Factors Minimum characters Expiration
      High With Duo Mobile or hardware factors only, or MFA Blocked 12 characters 400 days
  3. Password aging, history, and dictionary requirements
    1. New passwords may be immediately changed after previous change.
    2. Password history, or limits on reuse of previous passwords:
      Systems must be configured to prevent re-use of at least the last 24 passwords. Where systems do not support this, the system must be reviewed and approved by the ITS Security Office and any identified risks appropriately mitigated.
    3. Dictionary requirements:
      1. Standard dictionary checks on passwords are no longer required for individual UI passwords protected by MFA.
      2. Where systems support such use, dictionaries of known bad passwords must be checked to prevent use of susceptible passwords.
  4. Multifactor authentication requirements for systems
    System Additional Authentication Factors Required
    High Risk Yes
    Moderate Risk Yes, where password is Internet-exposed
    Low Risk At discretion of system owner
  5. Hardware factors currently supported
    1. HOTP tokens provided and assigned by ITS, including those branded by Duo or Feitian
    2. Universal 2nd Factor (U2F) tokens supported by Duo, including Yubikeys
  6. Mobile devices, including mobile phones and tablets accessing or processing UI data, or providing local authentication to UI data classified as Moderate or High risk, are required to enforce a PIN and/or biometric authenticator
    1. Mobile device password/PIN standards shall be:
      1. A minimum of 6 digits or characters
      2. No allowed repeating or sequential PINs (i.e., 123456, 999999, etc.)
      3. Automatically lock or erase after multiple bad authentication attempts
    2. ITS requires use of ITS-managed Application Protection, or Mobile Device Management to ensure security of UI data and meet this and other requirements, where data is processed at the Moderate or High classification level.
    3. Where laptop computers are configured with ITS-approved biometric authentication, they shall also be required to meet ITS mobile device standards for authentication with PIN.
    4. Approved biometrics include, but are not limited to:
      1. Apple Face ID or Fingerprint
      2. Microsoft Hello Face ID or Fingerprint, including the convenience PIN
      3. Android biometrics

Other References

Definitions*

Privileged Account Individual account utilized for elevated access to systems or data, which may include authority to make changes to access permissions, roles, security configuration, or non-public data of other users. (APM 30.10)
Individual Account Primary account assigned to a single individual for access to technology resources, including interactive logon to computers, email, VPN, Banner, or other U of I resources. (APM 30.10)
Functional Account Account used by applications and processes and not interactively by end users. (APM 30.10)
Shared Account Account used or shared where multiple users know the password or otherwise use the account for interactive logon. (APM 30.10)
Remote Access Access to an information system communicating through an external network (Internet)
Local Access Access to an information system directly and not through a network
Multifactor Authentication Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric)
Security Functions Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data

*For further clarification, refer to APM or NIST SP800-171.

Standards Owner

UI Information Technology Services (ITS) is responsible for the content and management of these standards.

REVISION HISTORY

VERSION AUTHOR(S) DATE NOTES
V1 M. Parks, D. Miller, D. Jacob 3/6/19 Original standards document.
       
       
       
       

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@uidaho.edu

Map