skip to main contentskip to footer

Quick links

  • Athletics
  • Make a gift
  • Student portal
  • Job openings
  • Employee directory
  • Explore
  • Costs
  • Admissions
Explore U of I
  • Visit and virtual tour
  • Student life
  • Find your degree
  • Get around campus
  • Meet Moscow
  • Join our email list
  • Events
  • ZeeMee
  • Athletics
Academics
  • Academic calendar
  • Find a major
  • Academic support
  • Undergrad research opportunities
  • Meet the colleges
  • Online learning
  • Explore in-demand careers
Admissions
  • Meet your counselor
  • Deadlines
  • First-year students
  • Graduate students
  • Law students
  • Online students
  • Transfer students
  • International students
  • Admitted students
Financial aid
  • Cost of attendance
  • Steps for financial aid
  • FAFSA information
  • Financial aid FAQs
  • In-state scholarships
  • Out-of-state and international scholarships
  • Connect with financial aid
More
  • Student life
  • Research
  • Recreational offerings
  • Student resources
  • Alumni
  • Parents
  • Newsroom
  • Events
  • Sustainability initiatives
Find your passion - Explore majors Become a Vandal - Start an application
  • Student portal
  • Make a gift
  • Directory
  • Athletics
Events
See 'Venus in Fur'
Idaho Repertory Theatre presents the dark comedy "Venus in Fur” July 9-26, exploring power, desire and performance.
Join Vandal alumni at Silverwood
Enjoy the fun-filled Vandal Day at Silverwood July 30. Tickets include early access and dinner.
Plan for Palousafest 2026
Kick off the semester Aug. 22 at Palousafest, U of I’s biggest welcome-back event.
Events
News
Photo from University of Idaho Special Collections and Archives: Life Sciences (South), about 1930. This is one of the best examples of Collegiate Gothic architectural style in the state of Idaho, but up to this point has not been recognized on the National Register of Historic Places. The U of I district is comprised of many architectural styles, with Collegiate Gothic being one of the most recognizable.
Moscow campus is up for historic district registry
Engineering students and faculty are developing AI-driven automation solutions for Amalgamated Sugar to keep the plant's assembly line from breaking down while adding components to maintain moisture levels in sugar beets, helping the company improve productivity and optimizing both quality and quantity. Pictured from left are Ph.D. researcher Sarah Davis, computer science graduate student Hunter Hawkins, research faculty John Shovic.
U of I announces new AI degrees
News
Support a Vandal - Make a gift
  • Explore
  • Costs
  • Admissions
  • Explore
  • Academics
  • Admissions
  • Financial Aid
  • Student life
  • Research
  • Recreational offerings
  • Student resources
  • Alumni
  • Parents
  • Newsroom
  • Events
  • Sustainability initiatives

Password standards

  • leadership
  • President's Office
  • Provost's Office
  • Finance and Administration
  • General Counsel
  • Administrative position searches
  • Information technology
    • leadership
    • President's Office
    • Provost's Office
    • Finance and Administration
    • General Counsel
    • Administrative position searches
    • Information technology
    leadership
    • President's Office
    • Provost's Office
    • Finance and Administration
    • General Counsel
    • Administrative position searches
    • Information technology
    1. Home/
    2. leadership/
    3. Information technology/
    4. IT standards/
    5. Passwords

    Overview

    This document addresses the password requirements for university accounts to ensure the confidentiality, integrity, and availability of university data and technology resources. Varying requirements reflect the current mitigations with multi factor authentication (MFA) as well as known risks.

    Policy Reference

    • APM 30.15 Password and Authentication Policy
    • APM 30.10 Identity and Access Management Policy
    • APM 30.11 University Data Classification and Standards

    Scope
    These standards establish password requirements for all university faculty, staff, students, and affiliates accessing, storing, and processing UI data or using UI technology resources at any data classification level. Effective date: April 16, 2019.

    Standards

    U of I Office of Information Technology (OIT) is responsible for the content and management of these standards.

    To request an exception to this standard contact: oit-security@uidaho.edu 

    Individual accounts
    1. Length and Expiration Standards for Individual Accounts
      1. Low Risk (ex. Student) password requirements for length and expiration:

        Authentication FactorsMinimum charactersExpiration
        With Duo Mobile or hardware factors only12 charactersindefinite
        With All MFA types12 characters400 days
      2. Moderate Risk (ex., most Faculty & Staff) password requirements for length and expiration:

        Authentication FactorsMinimum charactersExpiration
        With Duo Mobile or hardware factors only12 charactersindefinite
        With All MFA types12 characters400 days
      3. High Risk password requirements for length and expiration:

        Authentication FactorsMinimum charactersExpiration
        With Duo Mobile or hardware factors only12 characters1095 days
        With All MFA types12 characters90 days
    Shared, functional and privilege accounts
    1. Length and Expiration for Shared/Functional/Privileged Accounts
      1. Shared account password requirements for length and expiration:

        RiskAuthentication FactorsMinimum charactersExpiration
        LowWith Duo Mobile or hardware factors only12 charactersindefinite
        LowWith All MFA types12 characters400 days
        Moderate or HighWith Duo Mobile or hardware factors only12 characters1095 days
        Moderate or HighWith All MFA types12 characters90 days
      2. Functional account password requirements for length and expiration:

        RiskAuthentication FactorsMinimum charactersExpiration
        AnyWith Duo Mobile or hardware factors only30 characters1825 days
        AnyMFA Blocked30 characters1825 days
      3. Privileged account password requirements for length and expiration:

        RiskAuthentication FactorsMinimum charactersExpiration
        HighWith Duo Mobile or hardware factors only, or MFA Blocked12 characters400 days
    Password aging, history and dictionary requirements
    1. Password aging, history, and dictionary requirements
      1. New passwords may be immediately changed after previous change.
      2. Password history, or limits on reuse of previous passwords:
        Systems must be configured to prevent re-use of at least the last 24 passwords. Where systems do not support this, the system must be reviewed and approved by the ITS Security Office and any identified risks appropriately mitigated.
      3. Dictionary requirements:
        1. Standard dictionary checks on passwords are no longer required for individual UI passwords protected by MFA.
        2. Where systems support such use, dictionaries of known bad passwords must be checked to prevent use of susceptible passwords.
    Multi-factor authentication requirements
    1. Multifactor authentication requirements for systems

      SystemAdditional Authentication Factors Required
      High RiskYes
      Moderate RiskYes, where password is Internet-exposed
      Low RiskAt discretion of system owner
    Hardware factors
    1. Hardware factors currently supported
      1. HOTP tokens provided and assigned by ITS, including those branded by Duo or Feitian
      2. Universal 2nd Factor (U2F) tokens supported by Duo, including Yubikeys
    Mobile devices
    1. Mobile devices, including mobile phones and tablets accessing or processing UI data, or providing local authentication to UI data classified as Moderate or High risk, are required to enforce a PIN and/or biometric authenticator
      1. Mobile device password/PIN standards shall be:
        1. A minimum of 6 digits or characters
        2. No allowed repeating or sequential PINs (i.e., 123456, 999999, etc.)
        3. Automatically lock or erase after multiple bad authentication attempts
      2. ITS requires use of ITS-managed Application Protection, or Mobile Device Management to ensure security of UI data and meet this and other requirements, where data is processed at the Moderate or High classification level.
      3. Where laptop computers are configured with ITS-approved biometric authentication, they shall also be required to meet ITS mobile device standards for authentication with PIN.
      4. Approved biometrics include, but are not limited to:
        1. Apple Face ID or Fingerprint
        2. Microsoft Hello Face ID or Fingerprint, including the convenience PIN
        3. Android biometrics

    Other references

    1. NIST SP800-171 (January 2016)
    2. NIST SP800-53r4 (April 2013)
    3. CIS Controls version 7

    Definitions*

    • Privileged Account: Individual account utilized for elevated access to systems or data, which may include authority to make changes to access permissions, roles, security configuration, or non-public data of other users. (APM 30.10)
    • Individual Account: Primary account assigned to a single individual for access to technology resources, including interactive logon to computers, email, VPN, Banner, or other U of I resources. (APM 30.10)
    • Functional Account: Account used by applications and processes and not interactively by end users. (APM 30.10)
    • Shared Account: Account used or shared where multiple users know the password or otherwise use the account for interactive logon. (APM 30.10)
    • Remote Access: Access to an information system communicating through an external network (Internet)
    • Local Access:/strong> Access to an information system directly and not through a network
      • Multifactor Authentication: Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric)
      • Security Functions: Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data

    * For further clarification, refer to APM or NIST SP800-171.

    Standards Owner

    UI Information Technology Services (ITS) is responsible for the content and management of these standards.

    Revision history

    VersionAuthor(S)DateNotes
    V1M. Parks, D. Miller, D. Jacob3/6/19Original standards document.

    Footer

    Ready to apply?

    Start your application
    Joe_Vandal_rgb_2026.svg

    Footer Navigation

    Resources

    • Jobs
    • Privacy statement
    • Web accessibility
    • Title IX

    Campus

    • Directory
    • Map
    • Safety
    • Events

    Information For

    • Prospective students
    • Current students
    • Parents
    • Employees
    Logo

    University of Idaho

    875 Perimeter Drive, Moscow, ID 83844

    208-885-6111

    info@uidaho.edu

    Engage with U of I on Facebook. Get the latest U of I updates on X. Catch up with U of I on Instagram. Grow your professional network by connecting with U of I on LinkedIn. Interact with University of Idaho's video content on YouTube.
    Support a Vandal - Make a gift
    • Athletics
    • News
    • Policies

    © 2026 University of Idaho