Information Resources Use and Security Policy

18. Passwords

Strong passwords shall be used to control access to the university's Information Resources. All account passwords associated with the university's Information Resources must be constructed, implemented, and maintained according to the following, as technology permits:

18.1. Vetting User identity when issuing or resetting a password;

18.2. Account passwords must comply with the following password strength requirements:

18.2.1. Account passwords associated only with Category-II or \-III data must:

18.2.1.1. Be between at least 6 characters in length; and

18.2.1.2. Be minimally composed of case sensitive letters and digits.

18.2.2. Account passwords associated only with Category-II or \-III data must not:

18.2.2.1. Include personal information such as your name, phone number, social security number, date of birth, or addresses; or

18.2.2.2. Contain words found in a dictionary

18.2.3. Account passwords associated with Category-I data must:

18.2.3.1. Be at least 8 characters in length; and

18.2.3.2. Contain letters, numbers, and special characters (for example \! @ # $ % & * ( ) - + = < >)

18.2.4. Account passwords associated with Category-I data must not:

18.2.4.1. Include personal information such as your name, phone number, social security number, date of birth, or addresses;

18.2.4.2. Contain words found in a dictionary;

18.2.4.3. Re-use any of the account's last 10 passwords;

18.2.4.4. Contain a series of the same character; or

18.2.4.5. Contain the user's account name or respective UT-EID.

18.3. All password change procedures must include the following:

18.3.1. Authentication of the user prior to changing the password (acceptable forms of authentication include answering a series of specific questions, showing one or more forms of photo ID, etc.).

18.3.2. The new password must comply with password strength requirements associated with the data classification for the service in question.

18.4. University identity credentials (security tokens, security certificates, smartcards, and other access and identification devices) must be disabled or returned to the appropriate department or entity on demand or upon termination of the relationship with the university. Additional operating guidelines for university ID cards are referenced in the University Identification Card Guidelines and the Data Encryption Guidelines.

18.5. Unattended computing devices must be secured from unauthorized access. Physical security options include barriers such as locked doors or security cables. Logical security options include screen saver passwords and automatic session time-outs.

For more information on creating secure "strong" passwords please see the Password Guidelines published by Information Technology Services.