Password standards
Overview
This standard addresses the authentication requirements for university accounts to ensure the confidentiality, integrity, and availability of university data and technology resources. Varying requirements reflect the current mitigation with multi factor authentication (MFA) as well as known risks.
What is in this document:
- Zero trust requirements for high-risk data
- Application of principle of least privilege from APM 30.10
- Requirements of external/public systems
- Session and timeout requirements
- Remote and wireless access
What is NOT in this document:
- Identity types and authentication (see: Identity and Authentication standard)
Auditing requirements for authentication (see:
- Full coverage of 3.1.* under NIST 800-171 for Controlled Unclassified Information
Policy reference
- APM 30.15 Password and Authentication Policy
- APM 30.10 Identity and Access Management Policy
- APM 30.11 University Data Classification and Standards
Purpose
This Access Control standard supports APM 30.11 University Data Classification and Standards and other relevant university policies.
Scope
These standards establish password requirements for all university faculty, staff, students, and affiliates accessing, storing, and processing UI data or using UI technology resources at any data classification level. Effective date: April 16, 2019.
Standards
U of I Office of Information Technology (OIT) is responsible for the content and management of these standards.
To request an exception to this standard contact: oit-security@uidaho.edu
1. Individual accounts
- Length and expiration standards for individual accounts
Low Risk (ex. Student) password requirements for length and expiration:
Authentication factors Minimum characters Expiration With Duo Mobile or hardware factors only 12 characters indefinite With All MFA types 12 characters 400 days Moderate Risk (ex., most Faculty & Staff) password requirements for length and expiration:
Authentication factors Minimum characters Expiration With Duo Mobile or hardware factors only 12 characters indefinite With All MFA types 12 characters 400 days High Risk password requirements for length and expiration:
Authentication factors Minimum characters Expiration With Duo Mobile or hardware factors only 12 characters 1095 days With All MFA types 12 characters 90 days
2. Shared, functional and privilege accounts
- Length and expiration for shared, functional or privileged accounts
Shared account password requirements for length and expiration:
Risk Authentication factors Minimum characters Expiration Low With Duo Mobile or hardware factors only 12 characters indefinite Low With All MFA types 12 characters 400 days Moderate or High With Duo Mobile or hardware factors only 12 characters 1095 days Moderate or High With All MFA types 12 characters 90 days Functional account password requirements for length and expiration:
Risk Authentication factors Minimum characters Expiration Any With Duo Mobile or hardware factors only 12 characters 1825 days Any With All MFA types 12 characters 1825 days Privileged account password requirements for length and expiration:
Risk Authentication factors Minimum characters Expiration High With Duo Mobile or hardware factors only, or MFA Blocked 12 characters 400 days
3. Password aging, history and dictionary requirements
- New passwords may be immediately changed after previous change.
- Password history, or limits on reuse of previous passwords:
Systems must be configured to prevent re-use of at least the last 24 passwords. Where systems do not support this, the system must be reviewed and approved by the ITS Security Office and any identified risks appropriately mitigated. - Dictionary requirements:
- Standard dictionary checks on passwords are no longer required for individual UI passwords protected by MFA.
- Where systems support such use, dictionaries of known bad passwords must be checked to prevent use of susceptible passwords.
4. Multi-factor authentication requirements
| System | Additional authentication factors required |
| High Risk | Yes |
| Moderate Risk | Yes, where password is Internet-exposed |
| Low Risk | At discretion of system owner |
5. Hardware factors
- Hardware factors currently supported
- HOTP tokens provided and assigned by ITS, including those branded by Duo or Feitian
- Universal 2nd Factor (U2F) tokens supported by Duo, including Yubikeys
6. Mobile devices
- Mobile devices, including mobile phones and tablets accessing or processing UI data, or providing local authentication to UI data classified as Moderate or High risk, are required to enforce a PIN and/or biometric authenticator
- Mobile device password/PIN standards shall be:
- A minimum of 6 digits or characters
- No allowed repeating or sequential PINs (i.e., 123456, 999999, etc.)
- Automatically lock or erase after multiple bad authentication attempts
- ITS requires use of ITS-managed Application Protection, or Mobile Device Management to ensure security of UI data and meet this and other requirements, where data is processed at the Moderate or High classification level.
- Where laptop computers are configured with ITS-approved biometric authentication, they shall also be required to meet ITS mobile device standards for authentication with PIN.
- Approved biometrics include, but are not limited to:
- Apple Face ID or Fingerprint
- Microsoft Hello Face ID or Fingerprint, including the convenience PIN
- Android biometrics
- Mobile device password/PIN standards shall be:
Other references
- NIST SP800-171 (January 2016)
- NIST SP800-53r4 (April 2013)
- CIS Controls version 7
Definitions
Privileged account
Individual account utilized for elevated access to systems or data, which may include authority to make changes to access permissions, roles, security configuration, or non-public data of other users. (APM 30.10)
Individual account
Primary account assigned to a single individual for access to technology resources, including interactive logon to computers, email, VPN, Banner, or other U of I resources. (APM 30.10)
Functional account
Account used by applications and processes and not interactively by end users. (APM 30.10)
Shared account
Account used or shared where multiple users know the password or otherwise use the account for interactive logon. (APM 30.10)
Remote access
Access to an information system communicating through an external network (Internet)
Local access
Access to an information system directly and not through a network
Multi-factor authentication
Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric)
Security functions
Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data
*For further clarification, refer to APM or NIST SP800-171.
Revision history
3/6/2019 — Original document
- M. Parks, D. Miller, D. Jacob