The UGA Password Policy establishes the position that poor password management or construction imposes risks to the security of University information systems and resources. Standards for construction and management of passwords greatly reduce these risks.
This document describes the acceptable standards for password construction and management.
The requirements in this standard apply to passwords for any computing account on any university computer resource, to the users of any such accounts, and to system administrators and developers who manage or design systems that require passwords for authentication.
4.1.1 Minimum Password Length
Passwords shall have a minimum of eight characters with a mix of alphanumeric and special characters; if a particular system will not support eight character passwords, then the maximum number of characters allowed by that system shall be used.
4.1.2 Password Composition
Passwords shall not be composed of one or more dictionary words in any language, human or artificial.
Passwords shall not consist of well known or publicly posted identification information. Names, usernames such as the MyID, and ID numbers such as the 810 or CAN are all examples of well know identification information that should not be used as a password.
Additional password construction guidelines can be found inAppendix A - Password Construction Guidelines.
4.2.1 Password Storage
Passwords shall be memorized and never written down or recorded along with corresponding account information or usernames.
Passwords must not be remembered by unencrypted computer applications such as email. Use of an encrypted password storage application is acceptable, although extreme care must be taken to protect access to said application.
4.2.2 Password Aging
Users must change their passwords at least twice per year with the new password incorporating at least 3 changed characters.
4.2.3 Password Reuse
Care shall be taken to prevent the compromise of one username/password from compromising the security of multiple systems or resources. Users shall not use the username and password combination from any non-UGA account as the username and password for their UGA MyID or other UGA account.
4.2.4 Password Sharing and Transfer
Passwords shall not be transferred or shared with others unless the user obtains appropriate authorization to do so.
When it is necessary to disseminate passwords in writing, reasonable measures shall be taken to protect the password from unauthorized access. For example, after memorizing the password, one must destroy the written record.
When communicating a password to an authorized individual orally, take measures to ensure that the password is not overheard by unauthorized individuals.
4.2.5 Electronic Transmission
Passwords shall not be transferred electronically over the Internet using insecure methods. Wherever possible, security protocols including IMAPS, FTPS, HTTPS, etc. shall be used.
4.2.6 Requirements for System Administrators
220.127.116.11 Require Passwords for Login - Systems shall not be configured to allow user login without a password. Exceptions shall be granted for specialized devices such as public access kiosks when these devices are configured with public user accounts that have extremely restricted permissions (e.g. web only) that are separate from administrative accounts.
18.104.22.168 Protect Against Password Hacking - System administrators shall harden their systems to deter password cracking by using reasonable methods to mitigate “brute force” password attacks. For example, some systems will lock an account for a few minutes after several failed login attempts, or detect where the attack is coming from and block further attempts from that location, or at minimum alert an alert in real-time that an attack is underway so that manual action can be taken.
22.214.171.124 Logging - Practicable measures shall be put in place to log successful and failed login attempts.
126.96.36.199 Changing Password after Compromise or Disclosure - System administrators shall, in a timely manner, reset passwords for user accounts or require users to reset their own passwords in situations where continued use of a password creates risk of unauthorized access to the computing account or resource. Examples of these situations include but are not limited to: disclosure of a password to an unauthorized person; discovery of a password by unauthorized person; system compromise (unauthorized access to a system or account); insecure transmission of a password; replacing the user of an account with another individual requiring access to the same account; password is provided to IT support staff in order to resolve a technical issue; account password is communicated to a user by the system administrator.
188.8.131.52 Default Passwords - System administrators shall not use default passwords for administrative accounts.
4.2.7 Requirements for Application Developers
184.108.40.206 Require Secure Transmission - Application developers shall, whenever possible, develop applications that require secure protocols for authentication.
220.127.116.11 Storing Passwords - Application developers shall avoid creating applications which store passwords. If password storage cannot be avoided, application developers shall ensure that applications do not store passwords in clear text or an easily decrypted format.
18.104.22.168 Unique User Accounts and Passwords - Applications shall support unique user accounts and passwords so that individual users are not required to share a password in order to use the application.
22.214.171.124 Use MyID and Password Whenever Possible - Applications shall, whenever capable, use the UGA MyID and its associated password for authenticating members of the UGA community instead of creating another unique ID or username.
Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this standard.
The Office of Chief Information Officer is responsible for enforcing this standard.
Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
Any device that does not meet the minimum security requirements outlined in this standard may be removed from the UGA network, disabled, etc. as appropriate until the device can comply with this standard.
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, contact the Office of Information Security at email@example.com.