Scope: Who is covered by this standard?
All passwords used to access University-owned or -licensed devices, systems, services, or data. These requirements include responsibilities for end-users, procedural controls, and configurations for application and service implementations.
Rationale
Passwords remain a primary mechanism for authentication to many applications, systems, devices, and files, yet continue to be a weak point in cybersecurity protections. The following requirements are made to reduce the risks posed from weak, reused, and improperly stored and shared passwords.
Definitions
- User account: an account associated with and assigned to an individual person
- Entity account: "entity account" is a Miami specific term and account type which refers to an account that does not directly correspond to an individual, often shared by a number of people, such as a department, team, or student organization
- Service account: an account used for non-interactive purposes, such as providing access to a service, running jobs with secure access, or owning and running applications.
- Multi-Factor Authentication (MFA): an authentication method requiring more than one piece of evidence to validate the identity, typically two of the following - something a person knows (e.g. a password or pin), something a person has (e.g. a token, key, or device), something a person is (e.g. a biometric such as a fingerprint or face)
- Security Assertion Markup Language (SAML): an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
- Passphrase: similar to a password in function, but typically longer and composed of a sequence of words that form a phrase and often do not require special characters and numbers due to the increase in length
- Passwordless Authentication: a method of authentication that does not require a user to provide a password or other knowledge-based secret. Often utilizes a registered device or token as the means of providing secure proof of identity
- ISO's Data Classification Schema: Miami's Information Security Office (ISO) considers "sensitive" information to include any non-public information and further differentiates kinds of sensitive information as follows:
- Restricted - data that if compromised or accessed without authorization could lead to criminal charges, significant legal penalties, and/or irreparable harm to the University
- Examples include, but are not limited to, Credit Card Information (PCI-DSS), Electronic Protected Health Information (ePHI / HIPAA), Personally Identifiable Information, Export Controlled or Human Subject Research, Student Financial Aid Information
- Confidential - data which requires protection of its confidentiality and specific authorization for access, but would not result in significant legal penalties or more than moderate harm to the University should it become compromised
- Examples include, but are not limited to, Student Grades and Class Schedules, Intellectual Property, Controlled Unclassified Information (CUI) Research Data, Financial Account Information, Personnel Records
- Internal-Only - data that is only accessible internally to those granted access, but is not otherwise regulated or confidential
- Examples include, but are not limited to, Internal Memos, Exams and Course materials, Business Plans
- Public - data that is freely accessible to the public
Standards
If any password that can be used to access sensitive information is discovered to have been compromised or inappropriately exposed, it must be reported to the Information Security Office at infosec@miamioh.edu or IT Help at (513) 529-7900.
User account passwords
- Must be 16 characters in length and composed of at least one uppercase letter and one lowercase letter (numbers and special characters may also be used)
- Must not be a password the user has used previously for the account knowingly used elsewhere
- Must be changed at least every 5 years
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure of the password or of its hash
- Must not be known by anyone other than the account holder
- Must be stored in a secure manner. Insecure password storage includes storing on paper without physical protections, storing in unencrypted files, and storing in web browsers or applications. Password managers either cloud-based or host-based are considered secured
Entity account passwords
- Must be 16 characters in length and composed of at least one uppercase letter and one lowercase letter (numbers and special characters may also be used)
- Must not be a password used previously for the account knowingly used elsewhere
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure of the password or of its hash
- Must be stored in a secure manner. Insecure password storage includes storing on paper without physical protections, storing in unencrypted files, and storing in web browsers or applications. Password managers either cloud-based or host-based are considered secured
Service account passwords
- Must be at least 20 characters in length
- Must contain at least one character from each of the following character classes: upper and lower case letters, numbers, and special characters
- Must not be a password knowingly used previously for the account or elsewhere
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure or of its hash
- Must only be shared with those individuals who have a business need to access the resources protected by the password
- Must be stored and shared in a secure manner. Insecure password storage and sharing includes on paper without physical protections, in unencrypted files, and in web browsers or applications. Password managers and secure file transfer solutions are considered secure
- Must not be hard-coded into applications, scripts, or tools
Root / Administrator / Enable and Elevated Privilege passwords
- Must be either:
- A password of at least 14 characters in length and composed of uppercase and lowercase letters, numbers, and special characters (at least one character from each class)
- A passphrase of at least 16 characters in length and composed of uppercase and lowercase letters
- Must be unique to a purpose, task, or set of work and group with shared access to the password and not knowingly used previously for the account
- For example, the same password may be used for the administrator account on a set of classroom lab machines, or a set of encrypted files for a set of work shared amongst the same people
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure or of its hash
- Where possible manage access to the password via a Privileged Access Management solution
- Elevated privilege accounts assigned to an individual must not be shared with anyone other than the account holder
- Root / Administrator passwords must only be shared with those individuals who have a business need to access the account or resource
- Must be stored in a secure manner. Insecure password storage includes storing on paper without physical protections, storing in unencrypted files, and storing in web browsers or applications. Password managers either cloud-based or host-based are considered secure
Mobile device passwords
- Must be at least 6 digits in length. Where possible, longer alphanumeric passphrases are recommended
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure
- Must only be shared with those individuals who have a business need to access the resources protected by the password
- Must be stored and shared in a secure manner. Insecure password storage and sharing includes on paper without physical protections, in unencrypted files, and in web browsers or applications. Password managers and secure file transfer solutions are considered secure
- Vendor 'default' passwords must be changed as soon as possible
Other passwords
Any password which does no fall within the types listed above, including but not limited to passwords for devices, BIOS / firmware, IPMI and similar remote access interfaces, security cameras, printers, IoT devices, SSH keys, file encryption keys, public encryption keys, temporary / short-lived, testing, or coursework will abide by the following requirements depending on the data classification of what the password provides access to:
- Restricted or Confidential
- Must be at least 16 characters in length
- Must contain uppercase and lowercase letters, numbers, and special characters
- Must be unique to a purpose, task, or set of work and group with shared access to the password and not knowingly used previously for the account
- For example, the same password may be used for the administrator account on a set of classroom lab machines, or a set of encrypted files for a set of work shared amongst the same people
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure or of its hash
- Must only be shared with those individuals who have a business need to access the resources protected by the password
- Must be stored and shared in a secure manner. Insecure password storage and sharing includes on paper without physical protections, in unencrypted files, and in web browsers or applications. Password managers and secure file transfer solutions are considered secure
- Vendor 'default' passwords must be changed as soon as possible
- Internal-only
- Must be at least 11 characters in length
- Must contain uppercase and lowercase letters, numbers, and special characters
- Must be unique to a purpose, task, or set of work and group with shared access to the password and not knowingly used previously for the account
- For example, the same password may be used for the administrator account on a set of classroom lab machines, or a set of encrypted files for a set of work shared amongst the same people
- Must be changed within 24 hours after being informed of a compromise, breach, or exposure or of its hash
- Must be stored and shared in a secure manner. Insecure password storage and sharing includes on paper without physical protections, in unencrypted files, and in web browsers or applications. Password managers and secure file transfer solutions are considered secure
- Vendor 'default' passwords must be changed as soon as possible
- Public
- Must not be a password knowingly used for access to data of a higher sensitivity level
Additional application / system configuration and process requirements
In addition to the user requirements above that can be enforced by application and system configurations, the following are also required:
- Where possible, enforce MFA
- Where possible, must not have a 'default' password
- Where possible, password creation or modification must not permit a known used password (i.e. involved in a publicly disclosed breach such as those found in rockyou.txt, etc)
- Non-self-service password changes or resets must validate the requestor's identity to match the account holder or owner before a change or reset
- SAML tokens and other session / authentication tokens must expire within 24 hours
- SAML tokens and other session / authentication tokens must be capable of being invalidated on demand
- Where possible repeated failed authentication attempts within a short period of time should result in a temporary or full lockout
- "Remember Me" options for additional factors must expire within 2 weeks
- "Remember Me" options must be capable of being invalidated on demand
- Where possible, systems must allow paste functionality on password entry to facilitate the use of password managers
- If a password is discovered to have been compromised or inappropriately exposed, it must be reported to the Information Security Office (infosec@miamioh.edu, IT Help: (513) 529-7900)
Additional recommendations
- In general, the longer the password the better
- Where possible, use SSH keys in place of passwords
- Where possible, use password-less authentication methods
- Avoid repetitive or sequential characters (e.g. aaaabbbbcccc or 123456abcdef)
- Avoid context-specific words, such as the name of the service, the username and / or derivatives thereof
Exceptions
Any exceptions to this standard require approval from the Information Security Office before they can be implemented. All exceptions will be reviewed every 12 months to ensure they are still appropriate and necessary.
Appendix
Related policies and standards:
Standard Administration
Next Review Date
Responsible Officer
- Vice President for Information Technology & Chief Information Officer
Contact
- Assistant VP for IT Services Security, Compliance, and Risk Management
Approval(s) and Date(s)
- Initial Approval: 25 July 2023