Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Password Standards

Password Standard Policy

Scope

These standards cover the minimum password requirements for all electronic devices owned or leased by Loyola that can be protected by a password.

Purpose

To ensure that all electronic devices are secured by a password of a certain complexity. And to ensure that more sensitive devices have more complicated passwords.

Standards

Network Passwords - All network passwords will be at least eight characters long. All network passwords are required to contain at least two characters and at least two numbers. All network passwords are required to be changed every 180 days. When a network password is changed, it cannot be set to any of its previous 10 values.

Privileged Passwords - All passwords for accounts which have additional privileges beyond a normal user must be at least eight characters long and contain at least three character classes (definition in appendix). All privileged passwords are required to be changed every 180 days. No privileged passwords can be based on a word that is found in a dictionary. When a privileged password is changed, it cannot be set to its previous value. Privileged passwords cannot be provided to student workers.

Non-network Passwords - All devices which do not use the network to authenticate users must follow the same password standards as listed under network passwords. Operating systems which store password history must store the previous 10 passwords. Operating systems which do not store password history must ensure that the new password is different than the previous password.

Mobile device Passwords - All mobile devices used to access Loyola email or other Loyola resources must follow the same password standards as listed under network passwords. If the mobile device cannot be configured to confirm that the password meets those standards, then the user of the mobile device is responsible for choosing an appropriate password. Mobile devices must be configured to automatically erase themselves if an incorrect password is entered 10 times in a row.

Service Passwords - All passwords used to allow servers to communicate with one another in an automated fashion require stronger passwords as they are infrequently changed. They must be at least 20 characters long, and contain at least 2 characters from each of the 4 character classes. Service passwords cannot be provided to student workers.  Service account passwords must be changed whenever the administrator responsible for the account leaves the organization or changes roles.

High Security Accounts - All passwords used on systems that store, transmit or process Loyola Protected Data, per the Data Classification Policy, and Payment Card Data (PCI) will conform to the following additional password requirements:

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Appendix

Documents Referenced

Data Classification Policy

ITS Security Policy

Definitions

Character Classes – There are four character classes available. The four classes are numbers, lowercase letters, uppercase letters, and special characters. Special characters are those characters that can be typed on a computer that do not fall into one of the other three classes.

Student Worker – A student worker is an individual who is enrolled in at least one class at Loyola, is hired in a position that is not eligible for benefits, and works in a temporary capacity. This includes hourly employees and temporary part time (TPT) workers. This does not include permanent part time (PPT) workers or full time employees (FTE).

Exception Example -  If a system treats uppercase and lowercase characters as the same, and does not accept special characters, it is impossible to create a privileged password using our standards. In this case, the password would have a length of eight characters (matching the standard) and would contain both characters and numbers (2 classes being as close to the standard of 3 as possible).

Known systems that require exceptions:

Blackberry mobile devices – Minimum length can be checked, password complexity cannot. Password requirements will be communicated to the end user.

History and Updates

April 20, 2007: Initial Policy
September 30, 2008: Added "High Security Accounts" standard
October 29, 2012: Annual Review for PCI Compliance
May 31, 2013: Added strict verbiage to cover the PCI environment
August 19, 2014: Annual Review for PCI Compliance, Modified Service Password Section, UISO
Author: UISO
Version: 1.4
 
 
PDF FILE DOWNLOAD

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy