UW-Madison - IT Password Standard

Text in italics is not part of the official text.

Applies to anyone who connects devices or systems to a UW-Madison network by any means.

The Password Standard specifies the minimum length and other required practices for passwords used on devices and systems connected to the UW-Madison network.

The Password Standard is the implementation of the Credentials Policy.


All passwords and passphrases used to access UW-Madison information resources must meet the following minimum requirements. Some accounts or systems may have more stringent or additional requirements.

  1. The password or passphrase must be at least:1,2
    1. eight (8) characters when used on an account that has the additional protection of Multi- Factor Authentication (MFA), such as Duo (see MFA-Duo Overview"). Other types of MFA are also acceptable.
    2. sixteen (16) characters long when used on an account without the additional protection of MFA. This is called a passphrase. See "LastPass - How to create a strong and memorable password."
  2. The password or passphrase chosen:2
    1. must not occur in a list of commonly used or recently compromised passwords.
    2. must not contain a common proper name, login ID, email address, initials, first, middle, or last name.
    3. must not have the same character repeated more than four times in a row.
  3. The password or passphrase must be changed immediately if there is reason to believe that the account has been compromised.
  4. Passwords and passphrases must be kept private.
    1. A password or passphrase must be memorized or stored in a password manager such as LastPass. See "LastPass - How to activate a UW-Madison Enterprise LastPass account."
    2. The password or passphrase of a shared account must be stored in a password manager, so that passwords can be easily changed and those who should no longer have access can no longer gain access.
    3. The password or passphrase of a personal (non-shared) account must be changed if it is revealed to anyone else for any reason whatsoever.
    4. A password or passphrase may be written down only if a password manager is not available. If it is written down, it must be stored in a secure location.
  5. When a system is unattended for at most thirty (30) minutes3, the system must lock so that upon the return of the user the system requires the user to re-enter the password or passphrase, or to use some other method of identification that uniquely identifies that user.
  6. If for any reason a system or user cannot meet the requirements above,
    1. if the thirty (30) minute lockout requirement cannot be met, the system must be used only in a secure physical location that prevents access by unauthorized persons.
    2. in all other cases the system must have additional protection, such as, but not limited to, a dedicated firewall or limited network access.
  7. Biometrics can only be used as part of multi-factor authentication and are not sufficient for sole authentication (NIST SP 800-63B, Section 5.2.3, Use of Biometrics).


The UW-Madison Password Standard was developed in concert with the university community. It implements up-to-date practices published by the National Institute of Standards and Technology (NIST) that are suitably adapted for use in higher education at UW-Madison.


The requirements in this standard derive their authority from the UW-Madison IT Credentials  Policy.


Please address questions or comments to itpolicy@cio.wisc.edu.


1 Some systems and devices, for example, mobile devices, do not commonly support passwords that meet the minimum length requirements. In such cases the longest commonly used password or personal identification number (PIN) settings should be used for low risk systems, and any available advanced settings that permit longer or more complex passwords should be used for high risk systems.

2 When setting or changing a password the system should check these restrictions and request that another password or passphrase be selected. The details of what is checked and excluded may vary from system to system.

3 A shorter time limit may be required for high risk systems. 

Text in italics is not part of the official text.

Keywordspassword   Doc ID124920
OwnerHeather J.GroupIT Policy
Created2023-03-16 14:09:26Updated2024-05-15 12:12:39
SitesIT Policy
Feedback  2   0