Policy Number: 
IT - STANDARD 01
Date Drafted: 
03/20/2002
Version: 
1.0
Approved Date: 
07/19/2010
Version: 
1.0
Approved Date: 
04/09/2019
Version: 
2.0

Definitions

A password is a sequence of characters required for access to a computer system or service.
A passphrase is a long password, typically constructed from a sequence of words – a song, poem or phrase, employing the use of characters, spaces and symbols.
password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database.

Many computer systems and applications at the University of Iowa use a login ID and password (or passphrase) as the method of authenticating users. A robust password provides a major defense against unauthorized use of our systems. The object when creating a password is to make it as difficult as possible for others to make an educated guess or to programmatically “crack” what you've chosen. An effective method of accomplishing this is by using a "passphrase" form of password. For example, using several words together, or the first letter of several words from a memorable sentence, event, quote, or song lyric, combined with the other minimum password standard rules, as defined in this standard, can create a strong and sufficiently long passphrase that is easily remembered. You can protect your own files and University resources by choosing a good passphrase, changing it regularly, and never sharing it with others.

Standard Statement

This standard applies to all information technology systems and processes at The University of Iowa that create, modify, or use information that is private/confidential or of significant institutional value. All such systems will adhere to the minimum acceptable standards, as described below.
Policies and/or standards adopted by a college or administrative unit or specified in security requirements required by grants, contracts or other third-party agreements must be consistent in principle with this University standard, but may provide additional detail, guidelines or restrictions.

Part 1:  Minimum Password/Passphrase Standards (for all University accounts)

  1. A unique user identifier and password is issued for each user of the system.  The University HawkID (HealthcareID for clinical applications) should be used when possible.
  2. User-initiated password changes must be supported.
  3. Sharing of your individual account ("HawkID","HealthcareID") is prohibited. Passwords must be changed if they have been used, obtained, or suspected to be obtained, by anyone other than the account owner.
  4. Passwords must be changed at least once annually (every 365 days).
  5. Passwords must be stored in a hashed/encrypted format, and will be transmitted over open networks in an encrypted format.
  6. Passphrases are recommended, however not all systems support them.
  7. Passwords must pass all of the following composition rules: 
  • a combination of alphabetic, numeric and special characters that does not match previous passwords,

and

  • a minimum of 9 characters,

and

  • at least one limiting characteristic is used (for example, no character string matches from previous passwords; no consecutive, repeated, or serial characters (e.g., aaaa1111, abcd1234); or no single dictionary words)
  • Use of a password manager is recommended.

Part 2: Additional Password/Passphrase Requirements

  • The minimum password/passphrase standards specified in this Enterprise Password Standard also apply to non-HawkID accounts with certain forms of elevated privilege, including but not limited to:
    • Administrator IDs (Tech IDs) assigned to individuals with elevated privilege system accounts that have the rights required to maintain a system or application (such as operating system, application, or database administrator accounts) or the authority to impact other user accounts (such as password resets or the ability to assign other users to elevated privilege roles). Administrators should not use their normal HawkID account as an elevated privilege system account. Each system administrator should be assigned their own elevated privilege system account that is not shared and is used only when the elevated privileges are required. Where possible these accounts should use a managed authentication service such as Active Directory, LDAP or RADIUS.Conversely, Administrators should not use their elevated privilege system account for normal office activity, including email, web browsing, and business file manipulation (e.g. Word, Excel, Powerpoint). These activities present a higher risk of inadvertent compromise via phishing, drive-by malware, and malicious document execution.
    • Service IDs where the password is managed within a work group. These accounts should be reviewed annually to ensure that they are still required for proper operation. All service account passwords must be changed when a work group member who could have known the service account password leaves the work group.
    • Local workstations may have administrator accounts where the password is stored on the workstation and account authentication does not rely on a central authentication service. Passwords/passphrases for local workstation administrator accounts should be unique per device. These accounts should only be used for local workstation system administration.
    • In addition to the requirements above, administrator accounts require a minimum password length of 15 characters and a maximum password age of 180 days. This requirement does not apply to HawkID accounts with elevated privileges on a single-user workstation, e.g., a HawkID with administrator privileges on an individual laptop or desktop computer.
  • Multi-factor Authentication: When accounts possessing elevated privileges are used remotely, it may be required that they are used as part of a multi-factor authentication service.
  • Assisted Password Resets:  User account passwords may only be reset if the password administrator can identify the user requesting the password change/reset with one of the following:
    • A secret key or satisfactory answers about personal information held in central database records
    • A supervisor or technology support person’s personal vouch/identification,
    • A photo ID or human factor such as a biometric scan
    • Satisfactory challenge-responses in a self-service application

Part 3: Enforcement and Exceptions

  • Enforcement:   All computer systems and processes subject to this standard are encouraged to incorporate a managed University authentication service for automated account and password management, or they must implement the password standards locally.  Systems and processes that do not comply with this standard, and have not been granted an exception, will be subject to loss of access to the University campus network.
  • Exception Process:  University applications or services with an implementation that does not meet the minimum standards must be granted an exception. The approval process for exceptions requires the system owner to share a technical description and statement of justification for the exception.  This information, and if necessary a security review, are subsequently analyzed and approved as appropriate by the University Information Security and Policy Office. E-mail: it-security@uiowa.edu for more information.