Fayetteville Policies and Procedures 219.4
Secure Passwords and Passphrases
Passwords and passphrases are the primary means of protecting access to computer systems and data. It is essential that users maintain strong passwords and passphrases and use them in a manner that prevents the compromise of any university accounts, systems or other resources.
The University of Arkansas complies with the latest federal guidelines concerning password creation and protection developed and approved for the federal government by the National Institute of Standards and Technology or NIST.
The NIST Digital Identity Guidelines policy allows for the use of passphrases and passwords. It does not require that passwords be changed unless needed due to a network security breach or compromise or as may be required by an operational need of the university or any of its departments.
This policy applies to all passwords and other authentication methods used at the university.
Requirements for creating and using strong passwords
- Must contain a mixture of letters, numbers and special characters
- Must be a minimum of 8 characters and a maximum of 40 characters
- Cannot be reused until after four subsequent password or passphrase changes
- Cannot be any derivative of a user’s username
- Must not be shared with other people such as campus IT professionals, administrators, or supervisors.
Passphrase is similar to a password in practice, but a passphrase is usually constructed of multiple words containing a mixture of letters, numbers and special characters.
Guidelines for protecting passwords
- Users should not write down passwords or save them in any unsecured places, such as inside an unlocked desk.
- If a user prefers to rely on a password storage site for managing access to university accounts, they should contact their department’s IT director or the IT security group for assistance in selecting an appropriate service.
- Passwords must be kept in a safe location to prevent theft
Certain situations may require password protocols which differ from the standard circumstances described above. In all of these cases, contact the chief information security officer to ensure compliance with all password security obligations before proceeding. Possible exceptions include:
- Contract obligations for projects and/or research
- Access to older computers and network systems
- Regulatory compliance with certain laws and subject matters
Approved February 8, 2019