The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 25 – Standard for Passphrase and Passwords
I. STANDARD STATEMENT
Passwords are a critical component of computer security, providing front-line protection for electronic resources by reducing unauthorized access. Passwords are required for all University computing devices that are connected to the network. It is always recommended to use passphrases when possible. Passphrases are required, in conjunction with the myUTSA ID, when accessing UTSA information resources.
A department and/or system administrator may implement a more restrictive policy on local systems where it is deemed appropriate or necessary for the security of confidential data.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 25 – Standard for Passphrase and Passwords contact the following office:
The Office of Information Security
- PROTECTING PASSWORDS AND PASSPHRASES
a. Never share passphrases/passwords with anyone including family members, supervisors, co-workers, or OIT personnel.
b. Do not included passphrases/passwords in email messages unless authorized by the Office of Information Security (OIS).
c. Do not write passphrases/passwords down.
d. If passphrases/passwords must be stored, they must be encrypted.
e. Passphrases/passwords shall be treated as confidential information (Category 1).
f. Do not enter password/passphrase in forms or sites that look suspicious, always check legitimacy if not sure.
2. PASSPHASES (Applies to passphrases used to login to myUTSA accounts).
a. Minimum Passphrase Requirements:
i. Be at least 15 characters long
ii. Be no more than 127 characters long.
– Some applications limit the number of characters that can be used.
iii. Not be used for the user’s other UTSA and non-UTSA accounts.
iv. Not consist of a common phrase.
v. Not be based on something that’s guessable by knowing you or by reviewing information about you.
vi. Not consist of letter or number patterns.
vii.Not be similar to the user’s previous passphrases.
b. Highly Encouraged Passphrase Recommendations
i. Use at least one: lower-case and upper-case letter, number and special character.
ii. Change passphrase on a periodic basis (i.e., quarterly, annually, etc.).
c. Passphrase Construction Options
i. Create a passphrase consisting of several words that you can remember, but not easily guessable.
– Example, the words “burro”, “electric”, and “sad” could be used to create the 16 character passphrase “sadburroelectric” or the 18 character passphrase “Sad Electric Burro”.
ii. Create a passphrase using the first letter of each word in a sentence that you can remember, but not easily guessable.
– Example, the sentence “You ate the last taco so now I have to find something else to eat!” Could be used to create the 16 character passphrase “YatltsnIhtfsete!”
- PASSWORDS (UTSA requires that any system employing user authentication via passwords must meet minimum requirements as stated below)
d. Minimum Password Requirements
i. Be at least eight characters long with 15 characters being preferred.
ii. Contain at least one upper- and lower-case character.
iii. Contain at least one number and special character (where applicable).
iv. Not be used for the other UTSA and non-UTSA accounts.
v. Not be a word or acronym found in any dictionary.
vi. Not be based on personal information, names of family, birthdates, etc.
vii. Be changed every 180 days (Server/Application passwords only).
viii. Vendor/Application default passwords much be changed.
- ACTIVE DIRECTORY CONFIGURATION (Applies to general network configuration regarding passphrases and passwords, where applicable).
e. Minimum Network Configurations
i. Enforce Password History = 6 passwords
ii. Maximum Password Age = 0
iii. Minimum Password Age = 24 hours
iv. Minimum Password Length = 15
v. Password Must Meet Complexity Requirement = none
vi.Store Passwords Using Reversible Encryption = Disabled
- SERVICE AND APPLICATION SERVICE ACCOUNTS
1. Service and application service account password requirements are determined by the applicable process/application for which the service account supports.
2. Service accounts created by OIT ES (Enterprise Services) conform to this standard.
6 . ADDITIONAL CONTROLS TO ENHANCE PASSPHRASES AND PASSWORDS
1. Two-Factor Authentication (2FA) is to be applied, where practical or required, in combination with passphrases and passwords to further enhance protection of resources against unauthorized access.
2. If a passphrase, password or account is suspected of being compromised, OIS will initiate notification and any other steps deemed necessary to change the passphrase or password.
Effective Date: October 7, 2010
Last Revised: June 1, 2018
Last Reviewed: June 1, 2018