Topics Map > IT Help Desk
Topics Map > Discovery Building

Discovery Building Password Policy

Purpose

This document describes the minimum authentication standards that must be met by Morgridge Institute for Research / DiscoverIT accounts.

Policy Standards

Everyone can update their own passwords and account information at: https://myaccount.discovery.wisc.edu/

Minimum Password and Passphrase Requirements

For authentication systems that use passwords or passphrases as an authenticator type, the following password and passphrase length requirements represent a minimum standard for DiscoverIT accounts. System password and passphrase requirements must also meet or exceed all applicable federal statutes and administrative code, and other applicable industry standards, such as Payment Card Industry Data Security Standards, that apply to those systems.

Account Type*Length Requirements
All Accounts (Minimum Baseline)12
Privileged Accounts and accounts with access to high risk data14
Non-interactive/Connector Accounts (Service Accounts)16

* Note that whether an account is classified as a user account or a shared account does not affect password and passphrase length requirements.

Additionally, passwords and passphrases must:
  • Not contain the accounts username or other account identifier;
  • Be compared against a dictionary of weak or known passwords, if such functionality natively exists in the authentication system; and
  • Enforce history requirements, such that secrets associated with accounts must not be the same as any of the last 13 secrets for that account
For increased security, it is recommended that passwords and passphrases should:
  • Contain a mixture of characters from each of the following categories:
    • Uppercase letter (A-Z)
    • Lowercase letter (a-z)
    • Digit (0-9)
    • Special character (~`!@#$%^&*()+=_-{}[]\|:;”’?/<>,.);
  • Be memorized or securely stored in a password manager.
  • Longer is better, the minimum of 12 characters is a minimum, not a limit.

Session Reauthentication

Periodic reauthentication of sessions must be performed at various time intervals in addition to elapsed periods of user inactivity. As a general rule of thumb, you should always lock devices that have sensitive data on them. This includes computers, mobile devices, and tablets. Most devices have a setting that will automatically lock your device after a certain period of inactivity. This is especially beneficial if you tend to forget to lock your computer. If you’re on a mobile device, you may be able to restrict or lock individual apps through the settings on your phone.

Users accessing moderate or high risk data must reauthenticate to the application hosting the data at least one per 12 hours during an extended usage session, regardless of user activity. Reauthentication procedures must be commensurate with the initial authentication process used to access the application.

Users must also reauthenticate following any period of inactivity lasting 30 minutes or longer with accessing moderate or high-risk data.

The session must be terminated (i.e., logged out) when either of these time limits are reached.

Account Lockout Requirements

Public facing authentication systems, those of which allow for authentication from outside of institution networks, must include an account lockout mechanism to be triggered after a maximum of 5 invalid password entries. Administrators may choose to have a time-based lockout (minimum 5 minutes) or a hard lockout which requires the user to follow a process to reset their secret. Alternatively, risk-based or adaptive authentication techniques may be used to identify user behavior that falls within, or out of, typical norms, and enforce lockouts accordingly.

Multifactor Authentication

User accounts and shared accounts that are used to access high risk data must use MFA. This requirement does not apply when students are exclusively accessing their own information. Privileged accounts, excluding service accounts, must also use MFA.

Frequency of Password and Passphrase Changes

When MFA is not incorporated into all internet-facing instances when an account is used, passwords and passphrases must be changed on a regular basis, in accordance with the following:

Account TypePassword Change Frequency
Non-Interactive/Connector Account (Service Account)5 Years
Shared AccountsAnnually

Passwords and passphrases must be changed immediately if a compromise of credentials has been independently discovered, publicly disclosed, suspected, or if a device has been lost or stolen. This includes discovery of plaintext and/or hashed secrets.

Initial secrets that are provisioned for new user accounts must be changed during first use or, if not technically feasible, within five business days of first use.

Default, non-unique passwords for accounts that are embedded in new devices or applications must be changed during the initial device or application configuration, or if not technically feasible, within five business days of device or application activation, unless those accounts are locked.

Service account secrets and shared account secrets must be changed within five business days when an employee with knowledge of said secrets:

  • changes roles where knowledge of the secret is no longer necessary; or
  • discontinues employment with the UW System and/or its institutions. This requirement does not apply for systems that are inaccessible from outside the institution network.

Shared Accounts

Shared accounts should not be used to access high risk data and should be avoided when accessing moderate risk data. If, due to system limitations or problems, a shared account must be used, the institution must establish procedures for documenting, approving, and monitoring the use of shared accounts.

Requirements for Continued Account Access

Accounts must only remain active while there is a valid business justification for having the account. However, there may be times where accounts need to remain active past their normal defined periods:

  • Individuals who leave employment in good standing and retain a documented affiliation with the Institute or University (emeriti, sponsorship, retiree/annuitant, adjunct faculty, instructional staff/faculty, etc) may retain account access provided the following conditions are met:
    • An individual’s affiliation must be formally documented and verified at least once every 365 calendar days
    • Individuals retain access to campus IT resources/services, limited to those commensurate with their role
    • Individuals remain subject to Board of Regents rules
    • Individuals are required to annually complete information security awareness training
    • Access will be disabled after 1 year of inactivity based on last login date
  • Access for individuals who leave employment in good standing and do not retain a documented affiliation with the Institute or University, will be disabled on the termination date set in the Human Resource System. Access for these individuals may be retained for a period of up to 90 days, if applicable.
  • Access for individuals who are discharged with no notice and/or terminated for cause must be revoked immediately. If a criminal offense is involved in the termination, General Counsel and Human Resources must be consulted to ensure no legal hold on account information, files, etc. is required.

Storage of User Passwords and Passphrases

LastPass is the currently recommended password manager to be used by Morgridge and UW employees. If You Are A NEW LastPass Premium User:

  • Available to anyone with an active UW–Madison email address (to confirm eligibility) but you must use a personal email account to sign up
  • Intended for use in storing your personal accounts (e.g. banking, shopping, social media sites).
  • Ideal for students, alumni, and LastPass Enterprise eligible employees wanting a robust personal password manager in addition to, or instead of, a work specific LastPass Enterprise account.
  • LastPass Premium Accounts are separate from LastPass Enterprise accounts and are NOT supported by UW–Madison (meaning you need to contact LastPass for support).
  • Sign up for your FREE LastPass Premium account using the UW–Madison Premium Partner link: https://lastpass.com/partnerpremium/uw

Password managers must meet the following minimum security requirements:

  • Password managers shared between team members must utilize logging to uniquely identify employee access to the manager and access of passwords within the manager
  • Password manager authentication procedures must be commensurate with the authentication requirements for the accounts the password stores. For example, if the password manager will store privileged account credentials or credentials for accounts that have access to high risk data, the password manager must require MFA and meet the associated secret requirements specified in this policy.

Secrets must be encrypted when stored electronically. Secrets must not be written down unless secured in a manner that restricts unauthorized individuals from accessing the secrets.

Definitions

Account Types: While each application will have varying account types by title, all accounts fall into one or more of the 4 categories below. The type and usage of an account generally determines its authentication requirements. In order to distinguish between requirements based on account type, several different kinds of accounts are defined.

  • User Accounts: Accounts under the control of a specific individual and are not accessible to others. These are user-interactive accounts.
  • Shared Accounts: An account that can be accessed by multiple individuals to allow them to appear as a single business entity or accomplish a single shared function. These are user-interactive accounts.
  • Privileged Accounts: A qualifier used to describe User Accounts and Shared Accounts that have elevated access to configure or significantly change the behavior of a computing system, device, application or other aspect of systems. These accounts should be considered highly sensitive. These are user-interactive accounts.
  • Service Accounts: Accounts that are intended for automated processes such as running batch jobs or applications or establishing connections between web, application, and database servers, or external applications or services. To be considered a service account, the account must not be primarily used for general login to systems by users.

Authentication: The process of verifying that someone who holds an account on an IT system is who they purport to be.

Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

Passphrase: A secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.

Password: A secret that a claimant uses to authenticate his or her identity. Passwords are typically character strings.

Secret: Commonly referred to as a passphrase, password, or if numeric, a PIN. A secret value of sufficient complexity and secrecy intended to be impractical for an attacker to guess or otherwise discover the correct secret value.

Other Information

National Institute of Standards and Technology (NIST) Special Publication 800-63

Responsible Office

DiscoverIT




Keywords:password, policy, discovery   Doc ID:112995
Owner:Em C.Group:Discovery Building IT
Created:2021-08-12 09:13 CSTUpdated:2021-08-12 12:24 CST
Sites:Discovery Building IT
Feedback:  0   0