Skip to main content

Password Standard

1.0 Overview

Password guessing, or “cracking”, is often automated given the ubiquity of inexpensive and fast computing resources that can be combined with well-known attack methods or malicious software. Highly motivated criminals are constantly using automated processes to probe systems for accounts that have weak passwords or account lock-out mechanisms. In some situations, criminals may store compromised passwords for long periods. Poorly chosen passwords or management can lead to system and data compromise, which, in turn can have undesired consequences for UT Arlington.

2.0 Objective / Purpose

This document describes the minimum acceptable standards for password construction and management in order to greatly reduce the risks that may lead to password compromise. The standards established in this document are derived from best-practices and are intended to conform to, and be consistent with, requirements in UTS 165 and the U. T. System Identity Management Federation Member Operating Practices (MOP).  

3.0 Scope

The requirements in this standard apply to passwords assigned to any account created on any University owned or controlled information resource. This includes, but is not limited to:

  • UT Arlington NetID
  • All non-centrally managed local user.
  • All accounts that have system-wide privilege (e.g. administrator or root, or equivalent accounts).
  • All service accounts.
  • All database accounts.

4.0 Standard

4.1 Password Construction

All passwords assigned to users or service accounts shall be constructed following these minimum standards:

4.1.1 Minimum Password Length

Passwords shall have a minimum of eight characters.

4.1.2 Password Complexity

Passwords shall have the following minimum mix of alphanumeric and special characters. Specifically:

a) At least one uppercase character.
b) At least one lowercase character.
c) At least one number.
d) At least one non-alphanumeric characters permitted by the system (e.g. ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

4.1.3 Restrictions on dictionary words

Passwords shall not contain dictionary words or other public identifiers; including:

a) Dictionary words in any language.
b) Well-known passwords, names or phrases (e.g. “password”, “123456”, etc.).
c) The username (e.g NetID) or the account holder’s name.

4.2 Password Expiry

All user passwords shall expire, at minimum, every 180 days.

4.3 Password Lock-out

Accounts shall be locked after 10 consecutive tries.

4.4 Password reuse

Users shall not reuse the last 5 passwords.