|| OFFICIAL |
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
July 23, 2007
All computer accounts must be password protected to help maintain the confidentiality and integrity of electronic data as well as to help protect the University's computing resources and infrastructure. This policy establishes a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
REASON FOR POLICY
The purpose of this policy is to establish minimum requirements for the creation and protection of passwords.
Passwords to university accounts and devices must be kept confidential.
To preserve account integrity, the owner of the account must be the only person with knowledge of the password.
No user is required to share a university account password with another individual; including but not limited to managers, co-workers, or technical staff.
Passwords that have been or suspected to have been compromised must be changed immediately.
UofL Network and/or Enterprise System/Application Accounts
(In addition to the general standard above, these standards apply to UofL network and enterprise system/application accounts)
Account holders should set up their challenge questions to facilitate self-service password resets (go to ULink).
Notification of password expiration will be provided to account holders 30 days in advance of the password expiration and three additional times: 15, five, and one day before expiration.
Passwords used for shared/service accounts must be changed immediately if compromised or when a holder transfers or leaves the university.
Passwords allowing for temporary access to production environments for problem resolution must be changed immediately or the account terminated following use.
Initial access (first time log in) passwords must be changed immediately upon login.
Passwords or pass phrases must be encrypted and not stored in clear text or in viewable, non-secured hardcopy.
Passwords must expire every 180 days.
Passwords to systems containing sensitive information, including electronic Protected Health Information (ePHI) must be changed no less often than every 90 days.
Passwords must be between 8 and 16 characters in length.
Strong passwords must be used. A strong password must include a combination of:
- at least 1 special character except &, >, ", <, ;
- at least 1 number character
- at least 1 lower case character
- at least 1 upper case character
Password must not matach or contain user ID
Password must not contain more than four identical characters in a row
Passwords must not match or contain the user's first name or last name
Passwords to systems containing sensitive information, including ePHI, must require at least three of the four criteria specified immediately above.
Passwords must not consist solely of personal information or words found in a dictionary (any language).
Passwords must not be set to easily guessable words like the word “password”.
The following words are restricted from use: Louisville, UofL, Cards, Cardinals, L1C4 and any variation of the current year (i.e., 2018).
Password use and security can be facilitated using the university’s password web site. For more information go to ULink and see the "Information Technology/Change Password" option.
Password history must be securely maintained and passwords not repeated for a period of 24 months or equivalent iterations/previously used password versions.
Access accounts will be locked after six consecutive invalid login attempts.
UofL Network and/or Enterprise Software Accounts
(In addition to the general standards above, these standards apply to UofL network and enterprise software accounts)
Expiring passwords should be used for privileged accounts wherever feasible.
Passwords (individual and shared/service accounts) should expire every 90 days and meet the sensitive information complexity requirements.
Software that is unable to comply with the minimal password standards must establish compensating controls to maintain equivalent protection.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007 / Original Publication
1.1 / January 31, 2011 / Revised special characters accepted
1.2 / November 16, 2011 / Add that passwords are to be known only by the owner of the account.
1.3 / January 29, 2013 / Content Review and update
1.4 / September 26, 2014 / Content update regarding length of time for password expiration
2.0 / March 8, 2016 / Review/update content and update to template format
2.1 / June 18, 2017 / Review and clarify (re-organize) password specifications
2.1 / June 30, 2018 / Update to replace should with must where needed
Reviewed Date(s): March 8, 2016, June 18, 2017, June 30, 2018
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.