UW-Madison - IT Password Standard

Text in italics is not part of the official text.

The Password Standard specifies the minimum length and other required practices for passwords used on devices and systems connected to the UW-Madison network.

The Password Standard is the implementation of the Credentials Policy.

Rationale/Purpose

The IT Password Standard is an implementation of UW-528 IT Credentials. This standard was developed in concert with the UW–Madison campus community. It implements up-to-date practices published by the National Institute of Standards and Technology (NIST) that are suitably adapted for use at UW–Madison.

Overview Statement

The Password Standard specifies the required practices for passwords used to authenticate to  UW–Madison services and systems. Standardizing practices for passwords, passphrases, and other memorized secrets (hereinafter referred to as “passwords”) is important to appropriately manage risks related to the IT assets and resources UW–Madison uses to carry out its mission.  

Scope

Applies to:

  • All password-protected systems and devices used to carry out the university’s mission, including but not limited to services, servers, desktops, laptops, and login systems
  • Any person using a password to authenticate to a system used to carry out the university’s mission
  • All passwords, passphrases, and other types of memorized secrets used to authenticate an identity or to verify authorized access to UW–Madison computer systems or data

The Password Standard applies only to passwords and the use of passwords for authentication. In many cases, appropriate authentication will involve more than a password as a standalone security measure. NIST SP 800-63 and other UW–Madison and Universities of Wisconsin policies require additional measures of protection for access to certain systems or data or for access under certain conditions. An effective implementation of the Credentials Policy may therefore require application of other standards in addition to the Password Standard.

Standard Details

Users and IT staff share responsibility for meeting the requirements described below. Users are responsible for the security of their personal passwords. IT staff are responsible for, where technically feasible, configuring systems to enforce the requirements described below. Where such configuration is not technically feasible, IT staff must provide additional protections for the system.

Table 1 below summarizes high-level user and IT staff responsibilities for each of the specific requirements in this standard.

Table 1: User and IT staff responsibilities
Requirement User Responsibility IT Staff Responsibility
Password Composition Create secure passwords Configure systems to require secure passwords to the degree possible
Password Security Keep passwords private and secure Store, transmit, and otherwise handle credentials securely
Compromised Credentials

I. Password Composition

All passwords used to access UW–Madison information resources must meet the following minimum composition requirements. Some accounts (e.g., privileged accounts) or systems (e.g., those handling HIPAA data) may be held to a stricter standard. Passphrases are encouraged in all cases.

A. User passwords1
  1. Must Include at least eight (8) characters
  2. Must not occur in a list of commonly used or recently compromised passwords
  3. Must not contain context-specific words, such as common proper names, login IDs, or email addresses
  4. Must not consist solely of a single repeated character or series of sequential characters, or follow any other predictable pattern.

If a system or device does not, by default, support password composition that meets the above requirements, an alternate standard may be developed for that system or device. The alternate standard should be appropriate for the risk inherent to the system or device. Documentation of the alternate standard must be provided for review as part of any relevant risk assessment and the risks associated with the alternate standard must be accepted by the designated Risk Executive, as defined in UW–503 Cybersecurity Risk Management.

B. Non-user passwords

Application keys or API keys should be used whenever possible. When passwords are the only practical authentication method for application-to-application authentication, application passwords must:

  1. Include at least 20 characters
  2. Not follow a definite pattern or be predictable in any other way
C. Temporary (limited-use) passwords
  1. Must comply with the requirements of A or B above, as appropriate
  2. Must not follow a definite pattern or be predictable in any other way that would make it easy to guess the temporary password
  3. Must expire in one (1) day or less

Table 2 below summarizes minimum requirements for password composition and associated responsibility.

Table 2: Password composition requirements and responsibilities
Password Characteristic User Passwords Non-User Passwords Temporary/Limited-Use Passwords
Length ≥8 characters ≥20 characters
  • User: ≥8 characters
  • Non-User: ≥20 characters
Frequency of occurrence Must not occur in a list of commonly used or recently compromised passwords Must not occur in a list of commonly used or recently compromised passwords Must not occur in a list of commonly used or recently compromised passwords
Use of context-specific words Must not contain proper names, login IDs, email addresses, or other context-specific words Must not contain proper names, login IDs, email addresses, or other context-specific words Must not contain proper names, login IDs, email addresses, or other context-specific words
Use of pattern Must not consist solely of a single repeated character or series of sequential characters or follow any other predictable pattern Must not follow a definite pattern or be predictable in any other way Must not follow a definite pattern or be predictable in any other way
Expiration N/A (shared account passwords must be changed – see Table 3) N/A (rotation is required – see Table 3) ≤1 day
Any minimum requirement is not supported by a system or device Alternate, risk-based standards may be developed for acceptance by the designated Risk Executive Alternate, risk-based standards may be developed for acceptance by the designated Risk Executive Alternate, risk-based standards may be developed for acceptance by the designated Risk Executive

II. Password Security

A. User passwords
  1. Individual accounts
    1. Passwords may not be shared with anyone
    2. Passwords may not be stored online except in a secure password manager
    3. Passwords may be stored offline for recovery purposes
      1. Written recovery passwords must be stored in a secure (locked) location
      2. Recovery passwords stored electronically must be encrypted and kept in a secure (locked) location
  2. Shared accounts

Shared accounts should not be used unless there are no practical alternatives. When shared accounts must be used:

    1. Passwords must be escrowed for recovery and actively managed
      1. Passwords may be escrowed in a secure password manager or secure offline storage
    2. Passwords must be changed regularly and whenever a person with access is no longer authorized
B. Non-user passwords

Application keys or API keys should be used whenever possible. When passwords are the only practical authentication method for application-to-application authentication, application passwords:

  1. Must be stored securely
  2. Should not be available in plaintext except to the application for the limited time that the password is required
  3. Should be rotated regularly, preferably in an automated fashion.

Table 3 below summarizes minimum requirements for password security and associated responsibility.

Table 3: Password security requirements and responsibilities
Password & Account Type Minimum Security Requirement
User Passwords - Individual Accounts Memorize password or use a secure password manager
User Passwords - Shared Accounts
  • Avoid use when possible
  • Escrow passwords in a password manager or secure offline location
  • Change regularly and whenever a person with access is no longer authorized
Non-User Passwords
  • Store securely
  • Do not make available in plaintext beyond limited time needed by application
  • Rotate regularly

III. Compromised Passwords

If there is reason to believe that a password has been compromised, the password must be changed immediately. In addition, the compromise must be reported, per UW-509 Incident Reporting and Response.

Table 4 below summarizes corrective actions that must be taken for compromised accounts and associated responsibility.

Table 4: Corrective actions for compromised accounts and responsibilities
Corrective Action Responsible
Change password User
Lock account until issue is resolved IT Staff
Report compromist User, IT Staff

Roles and Responsibilities

Table 5 summarizes roles and responsibilities with respect to this standard.

Table 5: Roles and responsibilities
Position Title Role Responsibility
User UW–Madison faculty, staff, student, or affiliate who has been assigned a credential or authenticator that allows use of systems to conduct UW–Madison business Help protect UW–Madison IT systems and data by taking measures to prevent their identity from being used to gain unauthorized access.
IT Staff UW–Madison staff member responsible for designing, selecting, configuring, maintaining or administering UW–Madison information technology (IT) systems

Help protect UW–Madison IT systems and data by:

  • Selecting systems that support requirements in this Password Standard
  • Implementing controls to reduce the risk that a user’s identity may be used to gain unauthorized access

Definitions

Account: An entity assigned a username in an IT system or device.

Credential Service Provider (CSP): A trusted entity that issues or registers user tokens and issues electronic credentials to users. UW–Madison is a CSP that issues credentials for use to access UW–Madison IT systems and data.

Individual Account: An individual assigned a username in an IT system or device.

Memorized Secret: A secret shared between the user and the Credential Service Provider that is used to authenticate an identity or to verify access authorization. Passwords and passphrases are types of memorized secrets.

Multi-Factor Authentication (MFA): An authentication system that requires more than one distinct authentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are. (from NIST)

Non-User: A machine entity assigned a username in an IT system or device.

Limited-Use Password:  A password that is intended to be used by an entity for a restricted number of uses or a restricted amount of time, rather than many times or over longer periods of time. A user password that is known to an assigner should be a limited-use password, with the expectation that the user will change the password to one that is not known by the assigner. Limited-use passwords may also be used by non-user machine entities.

One-Time Password: Another term for Limited-Use Password.

Passphrase: A password comprised of a lengthy but easily remembered phrase, for example "Correct-Horse-Battery-Staple.”2 Passphrases are encouraged in all cases.

Password: A string of characters used to authenticate an identity or to verify access authorization. The password is the most well known type of memorized secret. See also Passphrase.

Password Manager: A computer program that helps users securely create, use, manage, and store passwords for various applications and services. Password managers eliminate the need to memorize passwords for multiple applications and services, making it more feasible to set a strong, unique password for each one. 

Shared Account: A single username used by multiple individuals to gain access to an IT system or device. Shared accounts are used only when it is not feasible for each individual user to have their own account on the system or device.

Temporary Password: Another term for Limited-Use Password. 

User: An individual who holds a credential or authenticator assigned by a Credential Service Provider.

Related UW–Madison Policies

UW–Madison IT Credentials Policy

UW–Madison Cybersecurity Risk Management Policy

UW–Madison Incident Reporting and Response Policy

Related UW–Madison Documents, Web Pages or Other Resources

IT Policy Glossary

Duo Multi-Factor Authentication at UW–Madison

LastPass Password Manager at UW–Madison

How to Create a Strong and Memorable Password

External References

NIST Special Publication (SP) 800-63B, Digital Identity Guidelines

UW System Policy Information Security Authentication Policy

UW System Information Security Risk Management Policy

References

IT Policy Glossary

UW-Madison IT Credentials Policy

Duo Multi-Factor Authentication at UW-Madison

LastPass Password Manager at UW-Madison

How to Create a Strong and Memorable Password

Authentication and Lifecycle Management (2017) Digital Identity Guidelines. (National Institute of Standards and Technology), NIST Special Publication (SP) 800-63B, Section 5.2.3, Use of Biometrics.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

1 See NIST 800-63-3 s5.1.1 

2 H/T to Randall Munroe

Text in italics is not part of the official text.


Keywordspassword   Doc ID124920
OwnerHeather J.GroupIT Policy
Created2023-03-16 13:09:26Updated2024-11-15 08:55:41
SitesIT Policy
CleanURLhttps://kb.wisc.edu/uw-madison-it-password-standard
Feedback  2   0