AC-002.02 – Password Management and Complexity

Responsible Office: Office of Cybersecurity

Last Review: 01/12/2023 Next Review: 01/12/2025

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

Users of UTHSC networks, systems, or applications are supplied with a unique user account ID and a password, (i.e. a password, pass-phrase, or PIN), or other individually identifiable authentication method, to gain access to such systems and to protect them from unauthorized use. A poorly chosen password, passphrase, or PIN may result in unauthorized access and/or exploitation of UTHSC data and systems. This practice guides users in creating, protecting, and changing passwords such that they are strong, secure, and protected. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This practice applies to all members of the UTHSC community, representing UTHSC in any capacity, who have been granted access to any system or data by means of an authenticator, based on a unique user account ID and password. (i.e. a password, PIN, passphrase, etc.)

Definitions

Passphrase – a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.

Password – a string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

PIN – Personalized Identification Number – a memorized secret typically consisting of only decimal digits.

Responsibilities

UTHSC Campus Community is responsible for creating strong passwords or passphrases and keeping those protected, ensuring the security of the campus.

Practice

  1. All users with access to any systems, networks, and/or data while representing UTHSC are responsibly for taking the appropriate steps, as outlined below, to select and secure their passwords.
  2. Any user suspecting that his/her password may have been compromised must report the incident to the Office of Cybersecurity and change all affected passwords.
  3. Any suspected or known compromised accounts will be investigated by the Security Incident Response Team in accordance with IR-001-Security Incident Response.
  4. Shared accounts and passwords shall not be used except in the following situations:
    1. When multiple administrative system accounts cannot be established. In such case, a risk assessment should be performed by the system owner. Mitigation of the assessment would include documented procedures to safeguard the account credentials.
    2. Multi use workstations may have a generic account for access to the device only, in which case no data or information classified other than Public may be stored on the device.
  5. Passwords must meet the following requirements:
    1. General
      1. Default passwords included as a part of any system must be changed as soon as practical with a password that complies with the Complexity Requirements, and in all cases prior to the system being placed onto any network. This includes, but is not limited to, SNMP community strings.
      2. Passwords stored in clear-text in any form (including paper) or format must be kept either in a secured system or be encrypted.
      3. Transmission of passwords by any means must use encryption. When communicated orally, precautions must be taken to prevent password from being overheard by unauthorized individuals.
      4. The passwords to system and service accounts essential to the operation of an information system must be known or accessible to more than a single person. Such passwords must meet the complexity requirements, be stored in a secure manner, and changed on a schedule relative to the risk of exposure and at a UT Health Science Center: AC-002.02-Password Management and Complexity Version 7 Effective Date: 03/17/2016 Page 3 of 4 minimum when those with knowledge of the password terminate or are re-assigned.
      5. Upon creation or reset of an account, the system should prompt the user to create an initial password that complies with the Complexity Requirements. In cases where this is not possible, the initial password must be unique, comply with the Complexity Requirements, and require that the user change the password upon the first use.
      6. Minimize the use of the same password for different access needs.
    2. Complexity Requirements
      1. Be a minimum length of 8 characters and no more than 40 characters in length
      2. Contain some combination of at least three of the following:
        • Uppercase letters
        • Lowercase letters
        • Numbers
        • Punctuation & Symbols (Accepted: `!@#$^&*()_-={}|[]:;’<>?,)
      3. May not contain a significant portion of your username or display name
      4. Not be a word in any dictionary
      5. Not be solely based on easily guessed personal information, names of family members, pets, etc.
    3. Reuse
      1. Not allowed to reuse last 10 passwords
    4. Special requirements
      1. Accounts with system-level privileges must have a unique password from all other accounts with access to system-level privileges.
    5. Change Timeline
      1. Passwords between eight and twelve characters in length will be changed every 180 days.
      2. Passwords at least twelve characters will not expire.

References

  1. AC-001-Access Control
  2. AC-002-Authentication
  3. IR-001-Security Incident Response
  4. NIST Glossary of Terms
AC-002.02 – Password Management and Complexity
Version: 7 // Effective: 03/17/2016
PDF icon Downloadable PDF

Related Procedures: