The purpose of this policy is to establish minimum requirements for the creation and protection of passwords.

All computer accounts must be password protected to help maintain the confidentiality and integrity of electronic data as well as to help protect the University’s computing resources and infrastructure. This policy establishes a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

General

• Passwords to university accounts and devices must be kept confidential.
• To preserve account integrity, the owner of the account must be the only person with knowledge of the password.
• No user is required to share a university account password with another individual; including but not limited to managers, co-workers, or technical staff.
• Passwords that have been or suspected to have been compromised must be changed immediately.

UofL Network and/or Enterprise System/Application Accounts
  (In addition to the general standard above, these standards apply to UofL network and enterprise system/application accounts)

• Account holders should set up their challenge questions to facilitate self-service password resets (go to ULink).
• Notification of password expiration will be provided to account holders 30 days in advance of the password expiration and three additional times: 15, five, and one day before expiration.
• Passwords used for shared/service accounts must be changed immediately if compromised or when a holder transfers or leaves the university.
• Passwords allowing for temporary access to production environments for problem resolution must be changed immediately or the account terminated following use.
• Initial access (first time log in) passwords must be changed immediately upon login.
• Passwords or pass phrases must be encrypted and not stored in clear text or in viewable, non-secured hardcopy.

Technical Standards:

General

• Passwords must expire every 180 days.
• Passwords to systems containing sensitive information, including electronic Protected Health Information (ePHI) must be changed no less often than every 90 days.
• Passwords must be between 8 and 16 characters in length.
• Passwords to systems containing sensitive information, including ePHI must be at least 8 positions in length.
• Strong passwords must be used. A strong password must include a combination of:
  • At least 1 special character except &, >, ", <, ;
  • At least 1 number character
  • At least 1 lower case character
  • At least 1 upper case character
• Password must not match or contain user ID.
• Password must not contain more than four identical characters in a row.
• Password must not contain the user’s first name or last name.
• Passwords to systems containing sensitive information, including ePHI, must require at least three of the four criteria specified immediately above.
• Passwords must not consist solely of personal information or words found in a dictionary (any language). Passwords must not be set to easily guessable words like the word “password”.
• The following words are restricted from use:  Louisville, UofL, Cards, Cardinals, L1C4 and any variation of the current year (i.e., 2018).
• Password use and security can be facilitated using the university’s password web site. For more information go to ULink and see the "Information Technology/Change Password" option.
• Password history must be securely maintained and passwords not repeated for a period of 24 months or equivalent iterations/previously used password versions.
• Access accounts will be locked after six invalid login attempts.

UofL Network and/or Enterprise Software Accounts
(In addition to the general standards above, these standards apply to UofL network and enterprise software accounts)

• Expiring passwords should be used for privileged accounts wherever feasible.
• Passwords (individual and shared/service accounts) should expire every 90 days and meet the sensitive information complexity requirements.

Software that is unable to comply with the minimal password standards must establish compensating controls to maintain equivalent protection.

Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.