Purpose:

To define minimum password complexity requirements based upon assigned password policy levels.

Standard:

  1. Password construction attributes (Table 1) for each password policy level are selected to achieve the specified minimum entropy.
  2. Password composition rules require the inclusion of 3 of the 4 following character sets: lowercase letters, uppercase letters, numerals and special characters. Allowable special characters are ~!@#$%^&*()_+|`-=\{}[]:”;’<>?,./ and the space character (depending on system support). Passwords may not include words of more than 4 characters, as tested against a dictionary of at least 50,000 words.
  3. For all policy levels, the selection of a passphrase of at least 18 characters eliminates the password composition rules and dictionary check. Passphrases are subject to minimal tests to prevent use of common or trivial phrases.
  4. Two-Factor Authentication is required for policy level P6 and optional for all faculty, staff and affiliates. Faculty, staff and affiliates whose accounts are compromised will be required to enroll in Two-Factor Authentication.

Table 1 – Password Construction Attributes

AttributeP1P2P3P4P5P6
Minimum entropy bits30303031.531.531.5
Minimum length of password888999
Maximum age of password (in days)36536536518018090
Password minimum age for reset (in
days)
111111
Password uniqueness/history (days)200200200200200200
Failed attempts before lockout10101010106
Lockout duration (minutes)303030303030

References:

SEC-AC-002.01: Authentication Management Standard
NIST Special Publication 800-63 revision 1: Electronic Authentication Guideline
PCI Data Security Standard 2.0
UF Two-Factor Authentication https://it.ufl.edu/two-factor

Effective Date:

June 24, 2015

More Information

Related Standards

PDF Downloads