The purpose of this policy is to establish minimum requirements for the creation and protection of passwords which aligns with National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and Special Publication 800-63b.

All computer accounts must be password protected to help maintain the confidentiality and integrity of electronic data as well as to help protect the University’s computing resources and infrastructure. This policy establishes a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

General

• Passwords to university accounts and devices must be kept confidential.
• To preserve account integrity, the owner of the account must be the only person with knowledge of the password.
• No user shall be required to share a university account password with another individual; including but not limited to managers, co-workers, or technical staff.
• Passwords that have been or suspected to have been compromised must be changed immediately.
• Passwords used for shared/service accounts must be changed immediately if compromised or when a holder transfers or leaves the university.
• Passwords allowing for temporary access to production environments for problem resolution must be changed immediately or the account terminated following use.
• Initial access (first time log in) passwords must be changed immediately upon login.
• Default passwords of system or application accounts must be changed.
• Passwords or pass phrases must be encrypted and not stored in clear text or in viewable, non-secured hardcopy.
• Single Sign-On (SSO): SSO must be leveraged whenever possible to access systems and application, streamline authentication, minimize password fatigue, and improve overall security.
• Multi-Factor Authentication (MFA): MFA must be enabled and in use, whenever possible.
• Passwords shall not be set to expire after a specific period unless:
  • There is evidence of compromise; or
  • Regulatory or contractual obligations require periodic password changes.
• Knowledge-based authentication, such as security questions based on personal data shall not be used.
   
   

Technical Standards:

General

• Passwords must be at least 15 characters in length.
• Privileged accounts passwords must be at least 24 characters in length.
  • A privileged account refers to a user account that has elevated access or special permissions within an information system. Types of privileged accounts include System, Database, Application, or Network Administrator, Root/Superuser, or Service account.
• A strong password shall include a combination of:
  • At least 1 special character except &, >, ", <, ;
  • At least 1 number character
  • At least 1 lower case character
  • At least 1 upper case character
• Password must not match or contain user ID.
• Password must not contain more than four identical characters in a row.
• Password must not contain the user’s first name or last name.
• Passwords to systems containing sensitive information, including ePHI, must require at least three of the four criteria specified immediately above.
• Passwords must not consist solely of personal information or words found in a dictionary (any language). Passwords must not be set to easily guessable words like the word “password”.
• The following words are restricted from use:  Louisville, UofL, Cards, Cardinals, L1C4 and any variation of the current year (i.e., 2018).
• Password use and security can be facilitated using the university’s password web site. For more information go to identity.louisville.edu.
• Password history must be securely maintained and passwords not repeated for the last 24 iterations/previously used password versions.
• Access accounts will be locked after six invalid login attempts.
• In cases where technical, operational, or contractual constraints prevent full compliance with this policy, compensating controls must be implemented to provide an equivalent or greater level of security.
  • Compensating controls may include: increased logging and monitoring, additional MFA layers, restricted access, physical security, use of University Single Sign On.

Policy Authority/Enforcement:  The University's Chief Information Security Officer (CISO) is responsible for the development, publication, modification and oversight of these policies and standards. The CISO works in conjunction with University Leadership, Information Technology, Risk, Audit, and Compliance, and others for development, monitoring and enforcement of these policies and standards.
 
 Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.