---

---

Requirements

All passwords and passphrases used to access UW-Madison information resources must meet the following minimum requirements. Some accounts or systems may have more stringent or additional requirements.

1. The password or passphrase must be at least:^1,2
   1. eight (8) characters when used on an account that has the additional protection of Multi- Factor Authentication (MFA), such as Duo (see MFA-Duo Overview"). Other types of MFA are also acceptable.
   2. sixteen (16) characters long when used on an account without the additional protection of MFA. This is called a passphrase. See "LastPass - How to create a strong and memorable password."
2. The password or passphrase chosen:²
   1. must not occur in a list of commonly used or recently compromised passwords.
   2. must not contain a common proper name, login ID, email address, initials, first, middle, or last name.
   3. must not have the same character repeated more than four times in a row.
3. The password or passphrase must be changed immediately if there is reason to believe that the account has been compromised.
4. Passwords and passphrases must be kept private.
   1. A password or passphrase must be memorized or stored in a password manager such as LastPass. See "LastPass - How to activate a UW-Madison Enterprise LastPass account."
   2. The password or passphrase of a shared account must be stored in a password manager, so that passwords can be easily changed and those who should no longer have access can no longer gain access.
   3. The password or passphrase of a personal (non-shared) account must be changed if it is revealed to anyone else for any reason whatsoever.
   4. A password or passphrase may be written down only if a password manager is not available. If it is written down, it must be stored in a secure location.
5. When a system is unattended for at most thirty (30) minutes³, the system must lock so that upon the return of the user the system requires the user to re-enter the password or passphrase, or to use some other method of identification that uniquely identifies that user.
6. If for any reason a system or user cannot meet the requirements above,
   1. if the thirty (30) minute lockout requirement cannot be met, the system must be used only in a secure physical location that prevents access by unauthorized persons.
   2. in all other cases the system must have additional protection, such as, but not limited to, a dedicated firewall or limited network access.
7. Biometrics can only be used as part of multi-factor authentication and are not sufficient for sole authentication (NIST SP 800-63B, Section 5.2.3, Use of Biometrics).

Background

The UW-Madison Password Standard was developed in concert with the university community. It implements up-to-date practices published by the National Institute of Standards and Technology (NIST) that are suitably adapted for use in higher education at UW-Madison.

Authority

The requirements in this standard derive their authority from the UW-Madison IT Credentials  Policy.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

---

Text in italics is not part of the official text.