Password Standard

Purpose

This standard exists to make passwords throughout UTRGV more secure and capable of withstanding password attacks focused on cracking them.

Scope

This standard applies to:

All computing resources with access control and using a password for authentication purposes.
Any computer (physical or virtual) connecting to the UTRGV network through wired, wireless, or VPN (virtual private network) connection.

It does not apply to system service accounts.

Audience

All users of computing and network resources owned or leased by UTRGV, including but not limited to all students, faculty, and staff.

Definitions

None.

Standard

5.1 Password Characteristics

5.1.1 Composed of case-sensitive letters and digits.

5.1.2 At least 10 characters in length.

5.1.3 Must meet three (3) out of the following:

Minimum 1 English uppercase letter.

Minimum 1 English lowercase letter.

Minimum 1 digit (0-9).

Minimum 1 special character.

Special characters allowed: `~!#$^()_+-={}|[]\:;>?,./

For example: S+r0ngP4ssw)rd

5.2 Invalid Password Information

5.2.1 Must not include personal information such as your first or last name, phone number, social security number, date of birth, or address.

5.2.2 Must not contain words found in a dictionary (English or foreign language), acronyms, or popular phrases.

5.2.3 Must not contain the user's account name or respective UTRGV ID (student or employee) number.

5.2.4 Must not be a previously used password.

5.3 Password Change Frequency

5.3.1 All passwords must be changed at least once a year.

Roles and Responsibilities

6.1 Information Security Office

Define and maintain this standard to a level that defines the necessary practices to protect all computing resources using passwords for authentication.

6.2 End-User

Ensures that all of the accounts they use to access UTRGV resources meets this standard.

Non-Compliance and Exceptions

If any of the requirements outlined within this standard cannot be met on applicable information resources you use or support, the Security Exception Process must be followed to address any associated risks until the standard can be met.

Any devices that do not adhere to this standard may lose access to UTRGV resources.

Non-compliance with this standard may result in the notification of supervisors and may be subject to disciplinary action in accordance with applicable UTRGV rules and policies.

Related Policies, Standards, and Guidelines

Revision History

Revision History Table
Version	Date	New
1.0	September 2019	Web Page Created

Need help?

For questions, assistance, or to report an issue, please visit the UTRGV Support Center.

Visit UTRGV Support Center

Information Technology