POLICY TITLE: Enterprise Password Policy (Version 3)
POLICY #: IT - 05
DATE DRAFTED: 03/20/2002
REVISION DATES: 11/04/02, 02/27/2004, 02/16/2010
APPROVED DATE:07/19/2010
BRIEF DESCRIPTION: Defines institutionally approved rules when using passwords for authentication.

Introduction | Policy StatementPassword Standards | Related Policies | Policy Home

Definitions:


Introduction:

Many computer systems and applications at the University of Iowa use a login ID and password (or passphrase) as the method of authenticating users. As the university moves toward a single-sign-on environment, where entry of a single login ID and password authenticates you to multiple systems, a robust passphrase provides a major defense against unauthorized use of our systems.

The object when creating a password is to make it as difficult as possible for others to make an educated guess or to programmatically “crack” what you've chosen. An effective method of accomplishing this is by using a "passphrase" form of password.  For example, using several words together, or the first letter of several words from a memorable sentence, event, quote, or song lyric, combined with the other minimum password standard rules, as defined in this policy, can create a strong and sufficiently long passphrase that is easily remembered.  You can protect your own files and University resources by choosing a good passphrase, changing it regularly, and never sharing it with others.

Policy Statement:

This policy applies to all information technology systems and processes at The University of Iowa that create, modify, or use information that is private/confidential or of significant institutional value. All such systems will adhere to the minimum acceptable standards, as described below.

System administrators may choose to implement these standards with a combination of technological controls and local practice. Policies and/or standards adopted by a college or administrative unit must be consistent in principle with this University policy, but may provide additional detail, guidelines or restrictions.

Part 1:  Minimum Password/Passphrase Standards (for all University accounts):

  1. A unique user identifier and password is issued for each user of the system.  The University HawkID (HealthcareID for clinical applications) should be used when possible.
  2. User-initiated password changes must be supported.
  3. Sharing of your individual account ("HawkID","HealthcareID") is prohibited. Passwords must be changed if they have been used, obtained, or suspected to be obtained, by anyone other than the account owner.
  4. Passwords must be changed at least once annually (every 365 days).
  5. Passwords must be stored in a hashed/encrypted format, and will be transmitted over open networks in an encrypted format.
  6. Passwords must pass all of the following composition rules:
    1. a combination of alphabetic, numeric and special characters that does not match previous passwords, and
    2. a minimum of 9 characters, but recommend 15 or more characters passphrase, and
    3. at least one limiting characteristic is used (for example, no character string matches from previous passwords; no consecutive, repeated, or serial characters (e.g., aaaa1111, abcd1234); or no single dictionary words)

Part 2: Additional Password/Passphrase Requirements:

1. Elevated Privilege System Accounts.   Elevated privilege system accounts are those accounts that have the rights required to maintain a system or application – such as operating system, application, or database administrator accounts, or to operate a scientific instrument. Administrators should not use their HawkID account as an elevated privilege system account.  Each systems administrator should be assigned their own elevated privilege system account that is not shared, and is used only when the elevated privileges are required.  Where possible these accounts should use a managed authentication service such as Active Directory, LDAP or RADIUS.  When elevated privilege system accounts are accessed remotely, it is recommended that they are used as part of a multi-factor authentication service.

Elevated privilege system account passwords/passphrases will:
  1. comply with the minimum password standards
  2. be changed at least semi-annually every 180 days)
  3. be at least 15 characters in length when possible
2. HawkIDs with Elevated Privileges.  The special password requirements above may also apply to HawkID accounts that have been assigned a role with elevated privileges. For example this includes an account that has the authority to change other user passwords, or an account that has the authority to assign other users to elevated privilege roles.  

3. HawkIDs with Access to Sensitive Institutional Data.  Some HawkID accounts are used to access sensitive institutional data – such as personally identifiable health information, or human subjects research data that identifies individuals. The Business Owner(s) of such institutional data may require these HawkIDs to have passwords which meet the elevated privilege password requirements.  

4. Local workstation administrator accounts.   The special requirements above also apply to local system administrator accounts where the password is stored on the workstation and account authentication does not rely on a central authentication service.  Local administrator passwords should be unique per computer for computers covered by this policy.   The local administrator account and password should only be used for system administration purposes.

5. Service accounts.  These are accounts where the password is managed within a work group, and include device passwords. Service accounts are subject to the elevated privilege account password complexity requirements but are exempt from the change requirement. These accounts should be reviewed annually to ensure that they are still required for proper operation.  All service account passwords must be changed when a work group member who could have known the service account password leaves the work group.

Part 3: Other Requirements: 

1. Assisted Password Resets:  User account passwords will not be reset if the password administrator cannot identify the user requesting the password change/reset with one of the following:

2. Policy Exception Process:  University applications or services with an implementation that does not meet the minimum standards must be granted a policy exception. The approval process for exceptions requires the system owner to share a technical description and statement of justification for the exception.  This information, and if necessary a security review, are subsequently analyzed and approved as appropriate by the University IT Security Officer. E-mail: it-security@uiowa.edu for more information.  

3. Enforcement:   All computer systems and processes subject to this policy are encouraged to incorporate a managed University authentication service for automated account and password management, or they must implement the password standards locally.  Systems and processes that do not comply with this policy, and have not been granted an exception, will be subject to loss of access to the University campus network.

Related Policies, References and Attachments:
  1. Enterprise Login ID Standard
  2. Enterprise Authentication Policy
  3. Network Citizenship Policy
  4. Institutional Data Policy
  5. Creating a Good Passphrase (http://its.uiowa.edu/support/article/2549)
  6. IT Administrator Resource Library
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.

They are incorporated into the University of Iowa Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)