Policy Number: 12-006

Authentication Management Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose Authentication mechanisms such as passwords are the primary means of protecting access to computer systems and data. It is essential that these authenticators be strongly constructed and used in a manner that prevents their compromise.
  2. Applicability This policy applies to all passwords and other authentication methods used at the University.
  3. Definitions University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

4. Policy Statement

  1. Access to all university data and systems not intended for unrestricted public access requires authentication.
  2. Passwords and other authenticators must be constructed to have a resistance to attack commensurate with the level of system or data access granted to the account.
  3. Systems must be designed and configured to protect passwords during storage and transmission.
  4. No one may require another to share the password to an individually assigned university account, for example as a condition of employment or in order to provide technical support.

Additional Resources

AUTHENTICATION MANAGEMENT STANDARD

Standard:

  1. Accounts are assigned to one of the following levels of password policy, based upon an individual or account’s security roles(s), level of system access or classification of data to which the account grants access.
    P1 : Entry. Accounts providing access to basic university services, such as the campus network, but no access to Sensitive or Restricted data.
    P2 : Low. Accounts providing access to information only about oneself, no access to other Sensitive or Restricted data.
    P3 : Medium. Accounts providing access to information about others, provide data at unit level, access to Sensitive data and limited amounts of Restricted data.
    P4 : High. Accounts providing access to information at the institutional level, access to Restricted data (including Protected Health Information), privileged access to a system not containing Restricted data.
    P5 : Rigorous. Accounts providing access to control institutional systems, privileged access to a system containing Restricted data.
  2. Each person affiliated with UF has one or more security roles; levels of system access; or access to data with different classification, each with varying password policies. If an individual has several roles, with conflicting levels of password policy, the “strongest” policy applies.
  3. Upon creation or reset of an account, the system should prompt the user to create an initial password that complies with the Password Complexity Standard. In cases where this is not possible, the initial password must be unique, comply with the Password Complexity Standard, and require that the user change the password upon the first use.
  4. Default passwords included as a part of any system must be changed as soon as practical, and in all cases prior to the system being placed into production use.
  5. Passwords must never be stored in cleartext. Stored passwords above P3 should, whenever possible, be salted and hashed using encryption mechanisms intended for passwords, such as bcrypt or PBKDF2.
  6. Transmission of passwords over any network must be encrypted.
  7. All systems utilizing passwords must enforce the following requirements:
    1. Passwords must comply with the Password Complexity Standard.
    2. All users must read the Acceptable Use Policy before creating or changing a password.
    3. Users are advised in advance of password expiration, typically 14 days.
    4. Passwords with levels P1-­P4 may be reset over the phone or using an online mechanism, once identity is verified using non-­‐‑public information.
    5. Passwords with level P5 may only be reset in person, and upon physical verification of identity.
    6. Users with passwords of levels P4-­P5 must pass a quiz at least once per year, demonstrating knowledge of password security requirements.
  8. Passwords that can be independently discovered via internal testing, shared or publically disclosed shall be expired immediately.
  9. The passwords to system and service accounts essential to the operation of an information system must be known or accessible to more than a single person. Such passwords must meet the requirements for level P5, be stored in a secure manner, and changed on a schedule relative to the risk of exposure and at a minimum when those with knowledge of the password terminate or are re-­assigned.

References:

NIST 800-­‐‑53 revision 3: AC-­‐‑7, IA-­‐‑5, IA-­‐‑5 (1), IA-­‐‑7
http://en.wikipedia.org/wiki/Bcrypt
http://en.wikipedia.org/wiki/PBKDF2

Effective Date:

July 15, 2013

 

PASSWORD COMPLEXITY STANDARD

PURPOSE:

To define minimum password complexity requirements based upon assigned password policy levels.

STANDARD:

  1. Password construction attributes (Table 1) for each password policy level are selected to achieve the specified minimum entropy.
  2. Password composition rules require the inclusion of 3 of the 4 following character sets: lowercase letters, uppercase letters, numerals and special characters. Allowable special characters are ~!@#$%^&*()_+|`-=\{}[]:”;’<>?,./ and the space character (depending on system support). Passwords may not include words of more than 4 characters, as tested against a dictionary of at least 50,000 words.
  3. For all policy levels, the selection of a passphrase of at least 18 characters eliminates the password composition rules and dictionary check. Passphrases are subject to minimal tests to prevent use of common or trivial phrases.
  4. Two-Factor Authentication is required for policy level P6 and optional for all faculty, staff, students, and affiliates. Faculty, staff, students, and affiliates whose accounts are compromised will be required to enroll in Two-Factor Authentication.

Table 1 – Password Construction Attributes

Attribute P1 P2 P3 P4 P5 P6
Minimum entropy bits 30 30 30 31.5 31.5 31.5
Minimum length of password 8 8 8 9 9 9
Maximum age of password (in days) 365 365 365 180 180 365
Password minimum age for reset (in
days)		 1 1 1 1 1 1
Password uniqueness/history (days) 200 200 200 200 200 200
Failed attempts before lockout 10 10 10 10 10 10
Lockout duration (minutes) 30 30 30 30 30 30

REFERENCES:

SEC-AC-002.01: Authentication Management Standard
NIST Special Publication 800-63-3: Digital Identity Guidelines
UF Two-Factor Authentication https://it.ufl.edu/two-factor

EFFECTIVE DATE:

June 24, 2015

REVISED DATE:

December 17, 2018

MORE INFORMATION

PDF Downloads

History

Revision Date Description
July 11, 2013 Policy originally adopted
Policy updated