UH Secure Passwords Practices
- Password policy version: 12/07/2009
- Password policy implementation date: 04/08/2010 06:30 AM
- Password policy: password strength
- Passwords must be a minimum of eight characters long, maximum length is 32 characters long.
- Passwords must contain at least one lowercase, one uppercase, one number, and one special character (see reference).
- Passwords must not be obvious (e.g. not be a: dictionary word or combination of words, your name, your UH Username, etc.).
- The owner shall be required to change temporary passwords at the first logon or within 7 days.
- Password policy: personal responsibilities
- Passwords shall be kept confidential at all times.
- Passwords shall not be used in any unsecured automated logon process.
- Passwords shall be changed as soon as possible if there is an indication of possible system or password compromise.
- Password policy: password administration
- Require strong passwords for all UH Usernames. As of this policy's effective date, strong passwords will be required for all new passwords and all password resets.
- Require as part of the password reset process a confirmation that the owner understands and agrees to the applicable policies governing usage.
- Provide guidelines for creating strong, yet easily remembered passwords: Password Selection Guidelines.
- Rate limit password guessing in order to mitigate brute force attempts to crack a password. If a password in entered incorrectly 7 consecutive times within 4 minutes, lock the password for 4 minutes (more information is available).
Questions and Answers
- Question: why do we need stronger passwords? They are harder to create and remember.
- They are much more secure and do a much better job of protecting your privacy. The UH ITS Security office has seen a number of UH Username compromises. Weak passwords are one of the reasons why UH Usernames get compromised. There is an abundance of software on the internet designed to probe our services and test for weak passwords. Additionally, the University is preparing to join the InCommon Federation so that members of the UH community can, in the future, access additional resources with their UH credentials (UH Username and password). The InCommon Federation provides operational guidelines specifying, among other things, strong passwords.