Skip to main content

Password Standard

1.0 Overview

Password guessing, or “cracking”, is often automated given the ubiquity of inexpensive and fast computing resources that can be combined with well-known attack methods or malicious software. Highly motivated criminals are constantly using automated processes to probe systems for accounts that have weak passwords or account lock-out mechanisms. In some situations, criminals may store compromised passwords for long periods. Poorly chosen passwords or management can lead to system and data compromise, which, in turn can have undesired consequences for UT Arlington.

2.0 Objective / Purpose

This document describes the minimum acceptable standards for password construction and management in order to greatly reduce the risks that may lead to password compromise. The standards established in this document are derived from best-practices and are intended to conform to, and be consistent with, requirements in UTS 165 and the U. T. System Identity Management Federation Member Operating Practices (MOP).  

3.0 Scope

The requirements in this standard apply to passwords assigned to any account created on any University owned or controlled information resource. This includes, but is not limited to:

  • UT Arlington NetID
  • All non-centrally managed local user.
  • All accounts that have system-wide privilege (e.g. administrator or root, or equivalent accounts).
  • All service accounts.
  • All database accounts.

4.0 Standard

Password Owners are responsible for adhering to these minimum standards, where technically feasible. In the case of a technical limitation, compensating controls such as those listed below shall be implemented:

  • Two factor authentication, whereby an account requires an additional authentication method for successful logon.
  • System isolation with the use of intermediary systems such as “jump” servers or VPN that support this standard.
  • Where system limitations prevent password complexity (e.g. limitation with special characters), the minimum password length shall be increased to 12 characters.

4.1 Password Construction

All passwords assigned to users or service accounts shall be constructed following these minimum standards:

4.1.1 Minimum Password Length

Passwords shall have a minimum of eight characters.

4.1.2 Password Complexity

Passwords shall have the following minimum mix of alphanumeric and special characters. Specifically:

  • At least one uppercase character.
  • At least one lowercase character.
  • At least one number.
  • At least one non-alphanumeric characters permitted by the system (e.g. ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

4.2 Password Expiration

All user passwords shall expire, at minimum, every 180 days.

4.3 Password Lock-out

Accounts shall be locked after 10 consecutive attempts.

4.4 Password reuse

Users shall not reuse the last 5 passwords.

5.0 Password Owner Responsibilities

Password Owners are ultimately responsible for the security of the passwords assigned to them and are required to follow all established policies, standards, procedures or guidelines for protecting information under their purview.

5.1 Compromised Password

Passwords must be changed immediately if secrecy is compromised.

5.2 Password Sharing

Individual User passwords must not be shared with anyone.

5.3 Service and Database Account Passwords

Service and Database Account passwords shall not be shared with anyone who is not authorized; such passwords must be changed when an individual with knowledge is no longer authorized to access or use the associated account.

5.4 Separate Credentials for Non-UTA Accounts

Users must not use the same username and password combination that is implemented on a UTA information resource on a non-UTA applications or systems.

5.5 Storing Centrally Managed Passwords

Users must never insecurely record or store centrally managed passwords, including those assigned to NetID’s, electronically or on paper.

5.6 Storing Non-Centrally Managed Passwords

Account passwords that are not centrally managed and are used for protecting university information must be stored securely and account access available to the institution upon request.

5.7 Easily Guessed Passwords to Avoid

Password Owners must not select passwords that contain dictionary words or other public identifiers, including:

  • Dictionary words in any language.
  • Well-known passwords, names or phrases (e.g. “password”, “123456”, etc.).
  • The username (e.g. NetID) or the account holder’s name.

6.0 Definitions

The definitions found in this section are to be interpreted consistently with other definitions in Texas Administrative Code 202, University of Texas System 165, and other policies found the Handbook of Operating Procedures covering Information Technology and Security. Where definitions do not exist in this policy, the definitions shall be derived from those policies or regulations.

6.1 Centrally Managed – Managed by OIT.

6.2 Password Owner - A User who is assigned a password or a Custodian responsible for service or database password.

7.0 Updates or modifications to this Standard

This standard will be modified as necessary to address changes in technology and related risks, and is intended to complement, and does not supersede, prevailing best practices, relevant UT System or UT Arlington policies and procedures governing the security of mobile devices. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.