Enterprise Password Standard
Approved Date: 03/20/2002
Revisions: 07/19.2020, 04/09/2019, 10/17/2022
A user account is an identity that is directly tied to an individual and is used in the performance of that individual’s work role or job function. This may include user accounts with elevated privileges. This also includes accounts used by people outside the university (such as contractors or vendors), whenever those accounts are used to access university systems.
A service account is an identity that is tied to a system service or function within an information system. Although it may be controlled by an individual, the individual may not be interactively present when the service account is used by the system. This is normally used as part of automated processes between applications or systems, and does not require interactivity on the part of an individual.
Many computer systems and applications at the University of Iowa use a login ID and password (or passphrase) as the method of authenticating users. A robust password provides a major defense against unauthorized use of our systems. The object when creating a password is to make it as difficult as possible for others to make an educated guess or to programmatically “crack” what you've chosen. An effective method of accomplishing this is by using a "passphrase" form of password. For example, using several words together, or the first letter of several words from a memorable sentence, event, quote, or song lyric, combined with the other minimum password standard rules, as defined in this standard, can create a strong and sufficiently long passphrase that is easily remembered. You can protect your own files and University resources by choosing a good passphrase, changing it regularly, and never sharing it with others or reusing it on non-University accounts.
This standard applies to all information technology systems and processes at The University of Iowa that interact with Institutional Data (as defined in the Institutional Data Policy). All such systems will adhere to the minimum acceptable standards, as described below.
Policies and/or standards adopted by a college or administrative unit or specified in security requirements required by grants, contracts or other third-party agreements must be consistent in principle with this University standard, but may provide additional detail, guidelines, or restrictions.
Part 1: User Accounts Password Standard (for all University accounts)
- This standard applies to all account types that are tied to an individual. This includes HawkID, HealthcareID, as well as privileged user accounts, to include AdminID, TechID, or “-s” account types.
- User-initiated password changes must be supported.
- Sharing of your user account ("HawkID","HealthcareID") password is prohibited. Passwords must be changed if they have been used, obtained, or suspected to be obtained, by anyone other than the account owner.
- Passwords must be changed at least once annually (every 365 days).
- Passwords must be stored in a hashed/encrypted format, and will be transmitted over open networks in an encrypted format.
- Passphrases are recommended, however not all systems support them.
- Passwords must pass the following composition rules: a combination of alphabetic, numeric, and special characters that does not match previous passwords, and minimum of 15 characters.
- Use of a password manager is recommended.
- Administrator IDs (AdminIDs, TechIDs) are IDs assigned to individuals with elevated privilege system accounts that have the rights required to maintain a system or application (such as operating system, application, or database administrator accounts) or the authority to impact other user accounts (such as password resets or the ability to assign other users to elevated privilege roles).
- Administrators will not use their normal user account as an elevated privilege system account. Each system administrator should be assigned their own elevated privilege system account that is not shared and is used only when the elevated privileges are required in the performance of their duties.
- Where possible these accounts should use a managed authentication service such as Active Directory, LDAP or RADIUS.
- Conversely, Administrators should not use their elevated privilege system account for normal office activity, including email, web browsing, and business file manipulation (e.g. Word, Excel, Powerpoint). These activities present a higher risk of inadvertent compromise via phishing, drive-by malware, and malicious document execution.
- Different scopes of administrative privilege require different administrative accounts. For example, a separate Administrative account beyond a standard Administrative account will be assigned for privileges related to Domain or Enterprise Administration.
- Multi-factor Authentication: Accounts possessing elevated privileges or accessing sensitive information may require the use of multi-factor authentication in order to validate the identity of the user attempting to use the account credentials.
- Assisted Password Resets: User account passwords may only be reset if the password administrator can identify the user requesting the password change/reset with one of the following:
- A secret key or satisfactory answers about personal information held in central database records
- A supervisor or technology support person’s personal voucher or identification,
- A photo ID or human factor such as a biometric scan
- Satisfactory challenge-responses in a self-service application
Part 2: Service Account Password Standards
- This standard applies to all Service accounts. These accounts should be reviewed annually to ensure that they are still required for proper operation. All service account passwords must be changed when a work group member who could have known the service account password leaves the work group.
- Local workstations may have administrator accounts where the password is stored on the workstation and account authentication does not rely on a central authentication service. Passwords/passphrases for local workstation administrator accounts should be unique per device. These accounts should only be used for local workstation system administration.
- In addition to the requirements for user accounts above, service accounts require:
- a minimum password length of 25 characters
- Password expiration may be indefinite based on the needs of the service account, but should still be changed upon transition of workgroup staff or when account compromise is suspected.
Part 3: Enforcement and Exceptions
- Enforcement: All computer systems and processes subject to this standard are encouraged to incorporate a managed University authentication service for automated account and password management, or they must implement the password standards locally. Systems and processes that do not comply with this standard, and have not been granted an exception, will be subject to loss of access to the University campus network. Additionally, accounts that pose a threat to the campus network (e.g., compromised via phishing or other means) may have their passwords reset.
- Exception Process: University applications or services with an implementation that does not meet the minimum standards must be granted an exception. The approval process for exceptions requires the system owner to share a technical description and statement of justification for the exception. This information, and if necessary a security review, are subsequently analyzed and approved as appropriate by the University Information Security and Policy Office. Request a security exception.
Appendix A: Related Policies, References and Attachments
The collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
Information technology policies are incorporated into the University of Iowa Operations Manual (available online at https://opsmanual.uiowa.edu), through the Policy on Acceptable Use of Information Technology Resources (see http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources).
All Information technology policies are available at https://itsecurity.uiowa.edu/policies-standards-guidelines. Best practices documents are available at (internal link under development)
Acceptable Use of Information Technology Resources
Enterprise Authentication, Authorization, and Access Policy