8.2.1.4 Password Policy

Tags password

Introduction

This policy establishes requirements for password creation, management, and protection across all account types at the University.  The goal is to safeguard institutional, student, research, and regulated data in compliance with applicable laws and frameworks. 

This policy applies to all accounts used to access University technology resources and regulated data.  Specifically it covers:

  • Centrally Managed Accounts – Accounts provisioned and authenticated through the University’s centralized identity and access management services (e.g., Active Directory domain accounts, federated Single-Sign-On [SSO]).
  • Local Accounts – Accounts created and managed directly on individual systems, devices, applications, or appliances when centralized authentication is not available or not supported.

This scope includes, but is not limited to, faculty, staff, students, contractors, alumni, service accounts, and privileged/administrative accounts.

Definitions

See Information Technology and Security Definitions

Web Address For This Policy

To Be Determined

Policy

The University shall develop, implement, and regularly review a formal, documented process for appropriately creating, modifying and safeguarding passwords used to validate a user’s identity and establish access to the University’s information systems and data.  System Administrators shall ensure passwords require password complexity as follows:

  1. General Requirements (All Accounts)
    1. Passwords must contain a combination of upper and lowercase letters and at least one number or symbol.
    2. Passwords must not be the same as the user ID.
    3. Passwords must be different than the previous six (6) passwords used.
    4. Passwords must be reset immediately if suspected of compromise.
    5. Passwords must not contain commonly used dictionary words (e.g., Sooner, Boomer, Password, QWERTY).
    6. Passwords must be stored only using approved cryptographic hashing algorithms with unique salts.
    7. Passwords must not be transmitted in cleartext.
  2. Staff, Faculty, and Student Accounts
    1. Passwords must have a minimum length of twelve (12) characters.
    2. Identity verification shall be required by the IT Service Desk for password resets.
    3. Passwords must expire every 365 days.
  3. Privileged (Admin) Accounts
    1. Passwords must have a minimum length of sixteen (16) characters.
    2. Passwords must expire every 365 days.
  4. Service Accounts
    1. Passwords must have a minimum length of twenty (20) characters.
    2. Passwords must be changed every 365 days.
      1. Except for service accounts that can only be invoked by a built-in privileged account; or
      2. Except for service accounts where changing the password will result in an extended disruption of service, in which case, an IT Security Exception must be submitted.
  5. Shared Accounts
    1. Passwords must have a minimum length of eight (8) characters
    2. Passwords must expire every thirty (30) days.
  6. Criminal Justice Information System (CJIS) Accounts
    1. Passwords must have a minimum length of eight (8) characters.
    2. Passwords must be different than the previous ten (10) passwords used.
    3. Users must not select passwords that are easily guessed, appear on lists of commonly used or compromised passwords, or that incorporate predictable patterns (e.g., season + year).
    4. The Department subject to CJIS shall provide examples of disallowed passwords and password construction guidance as part of annual CJIS Security Awareness Training. Users are responsible for ensuring password complexity and uniqueness.
  7. Alumni Accounts
    1. Passwords must have a minimum length of eight (8) characters.
    2. Passwords must expire every 365 days.
  8. Accounts Outside Centralized Authentication Services
    1. Passwords must have a minimum length of twelve (12) characters.
    2. Passwords must be different than the previous six (6) passwords.
    3. Passwords must expire immediately when suspected of compromise.
  9. Exceptions
    1. Exceptions must be formally approved by OU IT Information Security with documented compensating controls.

References

  1. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
  2. General Data Protection Regulation (GDPR)
  3. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  4. Payment Card Industry (PCI) Data Security Standards
  5. National Institute of Standards and Technology Special Publication 800-17, Controlled Unclassified Information
  6. Gramm-Leach-Bliley Act (GLBA)
  7. Family Education Rights and Protection Act (FERPA)
  8. Criminal Justice Information Systems Policy

Revision, Review, and Approval History

  • July 2020: Baseline version approved by the President.
  • October 2025: Added CJIS password policy requirements.
100% helpful - 2 reviews
Print Article