Password Standards
Scope
This standard covers the minimum password requirements for all electronic devices owned or leased by Loyola that can be protected by a password.
Purpose
To ensure that all electronic devices are secured by a password of a certain complexity, and to ensure that more sensitive devices require more complicated passwords.
Standards
Network Passwords
All network passwords will be a minimum of twelve characters long with a maximum length of 20 characters. All network passwords must contain at least one lower case letter and one upper case letter. Passwords must also be a combination of letters and numbers, letters and symbols or letters, numbers, and symbols. Known weak passwords and their variants are not be accepted during password changes. If easily guessable words such as “password” or “Loyola” are used, it is required to add length/complexity to the new password before it is accepted. Network passwords do not expire unless there is an indication that the account has been compromised. ITS reserves the right to manually expire the password for an account that appears to be compromised and will notify the user should their password be expired. When a network password is changed, the new password used must not be any of the passwords you have used within the previous 500 days.
Privileged Passwords
All passwords for accounts, which have additional privileges beyond a normal user must be at least twelve characters long and contain at least three of the character classes (see Definitions section below). All privileged passwords are required to be changed every 180 days. No privileged passwords can be based on a word that is found in a dictionary. When a privileged password is changed, it cannot be set to its previous value. Privileged passwords cannot be provided to student workers.
- Examples of privileged passwords include root, super user, and administrator passwords for servers, databases, infrastructure devices, and other systems.
- All passwords used to access resources in the High Security (PCI) environment are considered above this level and are thus held to even higher standards (see High Security Accounts section of this policy).
- Privileged passwords also include application accounts that provide rights beyond those of a typical user.
- If a user is unsure if a given account is privileged, they must assume that it is.
Non-network Passwords
All devices, which do not use the network to authenticate users, must follow the same password standards as listed under network passwords. Operating systems, which store password history, must store the previous 10 passwords. Operating systems, which do not store password history, must ensure that the new password is different from the previous password.
Mobile device Passcodes
Users of mobile devices used to access Loyola email or other Loyola resources must ensure that the mobile device locks automatically and has a strong passcode.
- Acceptable mobile passwords must consist of one of the following. Passwords or passcodes that do not meet these requirements cannot be used.
- Alphanumeric Code (minimum 6 characters)
- Numeric Code (minimum 4 digits)
- Fingerprint Scanner
- Facial Recognition
- Device must be set to automatically lock out access to the mobile device after ten incorrect passwords.
- Mobile devices that cannot be configured with a password will not be allowed to access Loyola email or Loyola resources.
- If a mobile device that does not meet these standards must be connected to Loyola email or other Loyola resources, the end user must consult with the Information Security team at DataSecurity@luc.edu to discuss the situation.
- The Information Security team will advise the end user on the type of password that should be used.
Service Passwords
All passwords used to allow servers to communicate with one another in an automated fashion require stronger passwords as they are infrequently changed. They must be at least 20 characters long and contain at least two characters from each of the four character classes. Service passwords cannot be provided to student workers. Service account passwords must be changed whenever the administrator responsible for the account leaves the organization or changes roles.
High Security Accounts
All passwords used on systems that store, transmit or process Loyola Protected Data, per the Data Classification Policy, Protected Health Information (ePHI), and Payment Card Data (PCI) will conform to the following password requirements in addition to the Privileged Password requirements:
- Avoid using dictionary words, people’s names, usernames, special dates, or number sequences that can be easily guessed.
- The password will be changed every 90 days or if there is any suspicion the password could be compromised.
- New passwords may not be the same as the last four passwords.
- Accounts will be locked out for thirty minutes after six failed login attempts.
- First time passwords will be set to a unique value for each user. Passwords will be set to change immediately after first use.
- Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
- Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Multi-Factor Authentication (MFA)
Increasingly, passwords are the weak link in protecting information and accounts. In addition to following the Password Standard, adding another layer of protection to accounts with 2-step/Multi-Factor authentication where available provides extra protection. This is an emerging requirement for accounts that provide access to restricted data and for privileged accounts and is required for access to the High Security Network which is only accessible using LSA (VPN).
Password Managers and Password Sharing
Passwords managers help generate unique and strong passwords, store them in one safe (encrypted) place, and use them while only needing to remember one master password. The university supports the use of LastPass as a password manager and is approved for storing personal Loyola passwords. Loyola University Chicago prohibits sharing of personal passwords with anyone, including administrative assistants or IT administrators. Necessary exceptions may be allowed with the written consent of the University Information Security Office and must have a primary responsible contact person. Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords. Internal sharing of administrative accounts must use the enterprise edition of LastPass.
Exceptions
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
Review
This policy will be maintained in accordance with the ITS Security Policy.
Appendix
Documents Referenced
Definitions
Character Classes – There are four character classes available. The four classes are numbers, lowercase letters, uppercase letters, and special characters. Special characters are those characters that can be typed on a computer that do not fall into one of the other three classes.
LSA – The acronym for Loyola Secure Access which is the branded term for the university Virtual Private Network service (VPN).
Student Worker – A student worker is an individual who is enrolled in at least one class at Loyola, is hired in a position that is not eligible for benefits and works in a temporary capacity. This includes hourly employees and temporary part time (TPT) workers. This does not include permanent part time (PPT) workers or full-time employees (FTE).
Exception Example - If a system treats uppercase and lowercase characters as the same, and does not accept special characters, it is impossible to create a privileged password using our standards. In this case, the password would have a length of eight characters (matching the standard) and would contain both characters and numbers (2 classes being as close to the standard of 3 as possible).
Mobile Device – a small computing device, typically small enough to be handheld (does not include laptops)
Multi-Factor Authentication (MFA) - a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transactions typically using a PIN, a one-time password (OTP) sent to the requester's phone or email address, a digital certificate, a fingerprint, or hardware token.
History
April 20, 2007: Initial Policy
September 30, 2008: Added "High Security Accounts" standard
October 29, 2012: Annual Review for PCI Compliance
May 31, 2013: Added strict verbiage to cover the PCI environment
August 19, 2014: Annual Review for PCI Compliance, Modified Service Password Section, UISO
May 11, 2015: Annual Review for PCI Compliance
November 10, 2015: Changed Network Password section to align with current PSS system, removed mandatory erasure for mobile devices, UISO
April 15, 2016: Added definition for mobile device, Annual Review for PCI Compliance.
August 24, 2016: Added Multi-Factor Authentication section.
June 5, 2017: Annual Review for PCI Compliance
July 5, 2017: Modified High Security Accounts password requirements
June 14, 2018: Removed blackberry statement, annual review for PCI Compliance
March 28, 2019: Added changes for password standards for mobile devices to support the Mobile Device Policy
May 15, 2019: Grammatical corrections, added definition for LSA and annual review for PCI Compliance
July 1, 2020: Annual Review for PCI Compliance
April 22, 2021: Added notice for increased minimum password length
May 27, 2021: Annual Review for PCI Compliance
June 14, 2021: Added notice for change to password complexity
July 1, 2021: Changed password complexity section to include new requirements.
Author: UISO
Version: 1.11
Scope
This standard covers the minimum password requirements for all electronic devices owned or leased by Loyola that can be protected by a password.
Purpose
To ensure that all electronic devices are secured by a password of a certain complexity, and to ensure that more sensitive devices require more complicated passwords.
Standards
Network Passwords
All network passwords will be a minimum of twelve characters long with a maximum length of 20 characters. All network passwords must contain at least one lower case letter and one upper case letter. Passwords must also be a combination of letters and numbers, letters and symbols or letters, numbers, and symbols. Known weak passwords and their variants are not be accepted during password changes. If easily guessable words such as “password” or “Loyola” are used, it is required to add length/complexity to the new password before it is accepted. Network passwords do not expire unless there is an indication that the account has been compromised. ITS reserves the right to manually expire the password for an account that appears to be compromised and will notify the user should their password be expired. When a network password is changed, the new password used must not be any of the passwords you have used within the previous 500 days.
Privileged Passwords
All passwords for accounts, which have additional privileges beyond a normal user must be at least twelve characters long and contain at least three of the character classes (see Definitions section below). All privileged passwords are required to be changed every 180 days. No privileged passwords can be based on a word that is found in a dictionary. When a privileged password is changed, it cannot be set to its previous value. Privileged passwords cannot be provided to student workers.
- Examples of privileged passwords include root, super user, and administrator passwords for servers, databases, infrastructure devices, and other systems.
- All passwords used to access resources in the High Security (PCI) environment are considered above this level and are thus held to even higher standards (see High Security Accounts section of this policy).
- Privileged passwords also include application accounts that provide rights beyond those of a typical user.
- If a user is unsure if a given account is privileged, they must assume that it is.
Non-network Passwords
All devices, which do not use the network to authenticate users, must follow the same password standards as listed under network passwords. Operating systems, which store password history, must store the previous 10 passwords. Operating systems, which do not store password history, must ensure that the new password is different from the previous password.
Mobile device Passcodes
Users of mobile devices used to access Loyola email or other Loyola resources must ensure that the mobile device locks automatically and has a strong passcode.
- Acceptable mobile passwords must consist of one of the following. Passwords or passcodes that do not meet these requirements cannot be used.
- Alphanumeric Code (minimum 6 characters)
- Numeric Code (minimum 4 digits)
- Fingerprint Scanner
- Facial Recognition
- Device must be set to automatically lock out access to the mobile device after ten incorrect passwords.
- Mobile devices that cannot be configured with a password will not be allowed to access Loyola email or Loyola resources.
- If a mobile device that does not meet these standards must be connected to Loyola email or other Loyola resources, the end user must consult with the Information Security team at DataSecurity@luc.edu to discuss the situation.
- The Information Security team will advise the end user on the type of password that should be used.
Service Passwords
All passwords used to allow servers to communicate with one another in an automated fashion require stronger passwords as they are infrequently changed. They must be at least 20 characters long and contain at least two characters from each of the four character classes. Service passwords cannot be provided to student workers. Service account passwords must be changed whenever the administrator responsible for the account leaves the organization or changes roles.
High Security Accounts
All passwords used on systems that store, transmit or process Loyola Protected Data, per the Data Classification Policy, Protected Health Information (ePHI), and Payment Card Data (PCI) will conform to the following password requirements in addition to the Privileged Password requirements:
- Avoid using dictionary words, people’s names, usernames, special dates, or number sequences that can be easily guessed.
- The password will be changed every 90 days or if there is any suspicion the password could be compromised.
- New passwords may not be the same as the last four passwords.
- Accounts will be locked out for thirty minutes after six failed login attempts.
- First time passwords will be set to a unique value for each user. Passwords will be set to change immediately after first use.
- Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
- Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Multi-Factor Authentication (MFA)
Increasingly, passwords are the weak link in protecting information and accounts. In addition to following the Password Standard, adding another layer of protection to accounts with 2-step/Multi-Factor authentication where available provides extra protection. This is an emerging requirement for accounts that provide access to restricted data and for privileged accounts and is required for access to the High Security Network which is only accessible using LSA (VPN).
Password Managers and Password Sharing
Passwords managers help generate unique and strong passwords, store them in one safe (encrypted) place, and use them while only needing to remember one master password. The university supports the use of LastPass as a password manager and is approved for storing personal Loyola passwords. Loyola University Chicago prohibits sharing of personal passwords with anyone, including administrative assistants or IT administrators. Necessary exceptions may be allowed with the written consent of the University Information Security Office and must have a primary responsible contact person. Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords. Internal sharing of administrative accounts must use the enterprise edition of LastPass.
Exceptions
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
Review
This policy will be maintained in accordance with the ITS Security Policy.
Appendix
Documents Referenced
Definitions
Character Classes – There are four character classes available. The four classes are numbers, lowercase letters, uppercase letters, and special characters. Special characters are those characters that can be typed on a computer that do not fall into one of the other three classes.
LSA – The acronym for Loyola Secure Access which is the branded term for the university Virtual Private Network service (VPN).
Student Worker – A student worker is an individual who is enrolled in at least one class at Loyola, is hired in a position that is not eligible for benefits and works in a temporary capacity. This includes hourly employees and temporary part time (TPT) workers. This does not include permanent part time (PPT) workers or full-time employees (FTE).
Exception Example - If a system treats uppercase and lowercase characters as the same, and does not accept special characters, it is impossible to create a privileged password using our standards. In this case, the password would have a length of eight characters (matching the standard) and would contain both characters and numbers (2 classes being as close to the standard of 3 as possible).
Mobile Device – a small computing device, typically small enough to be handheld (does not include laptops)
Multi-Factor Authentication (MFA) - a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transactions typically using a PIN, a one-time password (OTP) sent to the requester's phone or email address, a digital certificate, a fingerprint, or hardware token.
History
April 20, 2007: Initial Policy
September 30, 2008: Added "High Security Accounts" standard
October 29, 2012: Annual Review for PCI Compliance
May 31, 2013: Added strict verbiage to cover the PCI environment
August 19, 2014: Annual Review for PCI Compliance, Modified Service Password Section, UISO
May 11, 2015: Annual Review for PCI Compliance
November 10, 2015: Changed Network Password section to align with current PSS system, removed mandatory erasure for mobile devices, UISO
April 15, 2016: Added definition for mobile device, Annual Review for PCI Compliance.
August 24, 2016: Added Multi-Factor Authentication section.
June 5, 2017: Annual Review for PCI Compliance
July 5, 2017: Modified High Security Accounts password requirements
June 14, 2018: Removed blackberry statement, annual review for PCI Compliance
March 28, 2019: Added changes for password standards for mobile devices to support the Mobile Device Policy
May 15, 2019: Grammatical corrections, added definition for LSA and annual review for PCI Compliance
July 1, 2020: Annual Review for PCI Compliance
April 22, 2021: Added notice for increased minimum password length
May 27, 2021: Annual Review for PCI Compliance
June 14, 2021: Added notice for change to password complexity
July 1, 2021: Changed password complexity section to include new requirements.
Author: UISO
Version: 1.11