UW-Madison - IT Password Standard
Text in italics is not part of the official text.
The Password Standard specifies the minimum length and other required practices for passwords used on devices and systems connected to the UW-Madison network.
The Password Standard is the implementation of the Credentials Policy.
Rationale/Purpose
The IT Password Standard is an implementation of UW-528 IT Credentials. This standard was developed in concert with the UW–Madison campus community. It implements up-to-date practices published by the National Institute of Standards and Technology (NIST) that are suitably adapted for use at UW–Madison.
Overview Statement
The Password Standard specifies the required practices for passwords used to authenticate to UW–Madison services and systems. Standardizing practices for passwords, passphrases, and other memorized secrets (hereinafter referred to as “passwords”) is important to appropriately manage risks related to the IT assets and resources UW–Madison uses to carry out its mission.
Scope
Applies to:
- All password-protected systems and devices used to carry out the university’s mission, including but not limited to services, servers, desktops, laptops, and login systems
- Any person using a password to authenticate to a system used to carry out the university’s mission
- All passwords, passphrases, and other types of memorized secrets used to authenticate an identity or to verify authorized access to UW–Madison computer systems or data
The Password Standard applies only to passwords and the use of passwords for authentication. In many cases, appropriate authentication will involve more than a password as a standalone security measure. NIST SP 800-63 and other UW–Madison and Universities of Wisconsin policies require additional measures of protection for access to certain systems or data or for access under certain conditions. An effective implementation of the Credentials Policy may therefore require application of other standards in addition to the Password Standard.
Standard Details
Users and IT staff share responsibility for meeting the requirements described below. Users are responsible for the security of their personal passwords. IT staff are responsible for, where technically feasible, configuring systems to enforce the requirements described below. Where such configuration is not technically feasible, IT staff must provide additional protections for the system.
Table 1 below summarizes high-level user and IT staff responsibilities for each of the specific requirements in this standard.
Requirement | User Responsibility | IT Staff Responsibility |
---|---|---|
Password Composition | Create secure passwords | Configure systems to require secure passwords to the degree possible |
Password Security | Keep passwords private and secure | Store, transmit, and otherwise handle credentials securely |
Compromised Credentials |
|
|
I. Password Composition
All passwords used to access UW–Madison information resources must meet the following minimum composition requirements. Some accounts (e.g., privileged accounts) or systems (e.g., those handling HIPAA data) may be held to a stricter standard. Passphrases are encouraged in all cases.
A. User passwords1
- Must Include at least eight (8) characters
- Must not occur in a list of commonly used or recently compromised passwords
- Must not contain context-specific words, such as common proper names, login IDs, or email addresses
- Must not consist solely of a single repeated character or series of sequential characters, or follow any other predictable pattern.
If a system or device does not, by default, support password composition that meets the above requirements, an alternate standard may be developed for that system or device. The alternate standard should be appropriate for the risk inherent to the system or device. Documentation of the alternate standard must be provided for review as part of any relevant risk assessment and the risks associated with the alternate standard must be accepted by the designated Risk Executive, as defined in UW–503 Cybersecurity Risk Management.
B. Non-user passwords
Application keys or API keys should be used whenever possible. When passwords are the only practical authentication method for application-to-application authentication, application passwords must:
- Include at least 20 characters
- Not follow a definite pattern or be predictable in any other way
C. Temporary (limited-use) passwords
- Must comply with the requirements of A or B above, as appropriate
- Must not follow a definite pattern or be predictable in any other way that would make it easy to guess the temporary password
- Must expire in one (1) day or less
Table 2 below summarizes minimum requirements for password composition and associated responsibility.
Password Characteristic | User Passwords | Non-User Passwords | Temporary/Limited-Use Passwords |
---|---|---|---|
Length | ≥8 characters | ≥20 characters |
|
Frequency of occurrence | Must not occur in a list of commonly used or recently compromised passwords | Must not occur in a list of commonly used or recently compromised passwords | Must not occur in a list of commonly used or recently compromised passwords |
Use of context-specific words | Must not contain proper names, login IDs, email addresses, or other context-specific words | Must not contain proper names, login IDs, email addresses, or other context-specific words | Must not contain proper names, login IDs, email addresses, or other context-specific words |
Use of pattern | Must not consist solely of a single repeated character or series of sequential characters or follow any other predictable pattern | Must not follow a definite pattern or be predictable in any other way | Must not follow a definite pattern or be predictable in any other way |
Expiration | N/A (shared account passwords must be changed – see Table 3) | N/A (rotation is required – see Table 3) | ≤1 day |
Any minimum requirement is not supported by a system or device | Alternate, risk-based standards may be developed for acceptance by the designated Risk Executive | Alternate, risk-based standards may be developed for acceptance by the designated Risk Executive | Alternate, risk-based standards may be developed for acceptance by the designated Risk Executive |
II. Password Security
A. User passwords
- Individual accounts
- Passwords may not be shared with anyone
- Passwords may not be stored online except in a secure password manager
- Passwords may be stored offline for recovery purposes
- Written recovery passwords must be stored in a secure (locked) location
- Recovery passwords stored electronically must be encrypted and kept in a secure (locked) location
- Shared accounts
Shared accounts should not be used unless there are no practical alternatives. When shared accounts must be used:
-
- Passwords must be escrowed for recovery and actively managed
- Passwords may be escrowed in a secure password manager or secure offline storage
- Passwords must be changed regularly and whenever a person with access is no longer authorized
- Passwords must be escrowed for recovery and actively managed
B. Non-user passwords
Application keys or API keys should be used whenever possible. When passwords are the only practical authentication method for application-to-application authentication, application passwords:
- Must be stored securely
- Should not be available in plaintext except to the application for the limited time that the password is required
- Should be rotated regularly, preferably in an automated fashion.
Table 3 below summarizes minimum requirements for password security and associated responsibility.
Password & Account Type | Minimum Security Requirement |
---|---|
User Passwords - Individual Accounts | Memorize password or use a secure password manager |
User Passwords - Shared Accounts |
|
Non-User Passwords |
|
III. Compromised Passwords
If there is reason to believe that a password has been compromised, the password must be changed immediately. In addition, the compromise must be reported, per UW-509 Incident Reporting and Response.
Table 4 below summarizes corrective actions that must be taken for compromised accounts and associated responsibility.
Corrective Action | Responsible |
---|---|
Change password | User |
Lock account until issue is resolved | IT Staff |
Report compromise | User, IT Staff |
Roles and Responsibilities
Table 5 summarizes roles and responsibilities with respect to this standard.
Position Title | Role | Responsibility |
---|---|---|
User | UW–Madison faculty, staff, student, or affiliate who has been assigned a credential or authenticator that allows use of systems to conduct UW–Madison business | Help protect UW–Madison IT systems and data by taking measures to prevent their identity from being used to gain unauthorized access. |
IT Staff | UW–Madison staff member responsible for designing, selecting, configuring, maintaining or administering UW–Madison information technology (IT) systems |
Help protect UW–Madison IT systems and data by:
|
Definitions
Account: An entity assigned a username in an IT system or device.
Credential Service Provider (CSP): A trusted entity that issues or registers user tokens and issues electronic credentials to users. UW–Madison is a CSP that issues credentials for use to access UW–Madison IT systems and data.
Individual Account: An individual assigned a username in an IT system or device.
Memorized Secret: A secret shared between the user and the Credential Service Provider that is used to authenticate an identity or to verify access authorization. Passwords and passphrases are types of memorized secrets.
Multi-Factor Authentication (MFA): An authentication system that requires more than one distinct authentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are. (from NIST)
Non-User: A machine entity assigned a username in an IT system or device.
Limited-Use Password: A password that is intended to be used by an entity for a restricted number of uses or a restricted amount of time, rather than many times or over longer periods of time. A user password that is known to an assigner should be a limited-use password, with the expectation that the user will change the password to one that is not known by the assigner. Limited-use passwords may also be used by non-user machine entities.
One-Time Password: Another term for Limited-Use Password.
Passphrase: A password comprised of a lengthy but easily remembered phrase, for example "Correct-Horse-Battery-Staple.”2 Passphrases are encouraged in all cases.
Password: A string of characters used to authenticate an identity or to verify access authorization. The password is the most well known type of memorized secret. See also Passphrase.
Password Manager: A computer program that helps users securely create, use, manage, and store passwords for various applications and services. Password managers eliminate the need to memorize passwords for multiple applications and services, making it more feasible to set a strong, unique password for each one.
Shared Account: A single username used by multiple individuals to gain access to an IT system or device. Shared accounts are used only when it is not feasible for each individual user to have their own account on the system or device.
Temporary Password: Another term for Limited-Use Password.
User: An individual who holds a credential or authenticator assigned by a Credential Service Provider.
Related UW–Madison Policies
UW–Madison IT Credentials Policy
UW–Madison Cybersecurity Risk Management Policy
UW–Madison Incident Reporting and Response Policy
Related UW–Madison Documents, Web Pages or Other Resources
UW-Madison - Credentials Policy & Password Standard FAQs
Duo Multi-Factor Authentication at UW–Madison
LastPass Password Manager at UW–Madison
How to Create a Strong and Memorable Password
External References
NIST Special Publication (SP) 800-63B, Digital Identity Guidelines
UW System Policy Information Security Authentication Policy
UW System Information Security Risk Management Policy
References
UW-Madison IT Credentials Policy
Duo Multi-Factor Authentication at UW-Madison
LastPass Password Manager at UW-Madison
How to Create a Strong and Memorable Password
Authentication and Lifecycle Management (2017) Digital Identity Guidelines. (National Institute of Standards and Technology), NIST Special Publication (SP) 800-63B, Section 5.2.3, Use of Biometrics.
Contact
Please address questions or comments to itpolicy@cio.wisc.edu.
Text in italics is not part of the official text.