Skip to end of metadata
Go to start of metadata
UH Secure Passwords Practices
- Password policy version: 12/27/2021
- Password policy implementation date: 12/27/2021 06:30 AM
- Password policy: password strength
- Passwords must be a minimum of eight characters long, maximum length is 32 characters long.
- Passwords must contain at least one lowercase, one uppercase, one number, and one special character (see reference).
- Passwords must not be obvious (e.g. not be a: dictionary word or combination of words, your name, your UH Username, etc.).
- The owner shall be required to change temporary passwords at the first logon or within 7 days.
- Password policy: disallowed passwords
- Passwords previously associated with your UH Username are not allowed for a second time.
- Passwords previously published in data breaches are not allowed.
- Password policy: personal responsibilities
- Passwords shall be kept confidential at all times.
- Passwords shall not be used in any unsecured automated logon process.
- Passwords shall be changed as soon as possible if there is an indication of possible system or password compromise.
- Password policy: password administration
- Require strong passwords for all UH Usernames. As of this policy's effective date, strong passwords will be required for all new passwords and all password resets.
- Require as part of the password reset process a confirmation that the owner understands and agrees to the applicable policies governing usage.
- Provide guidelines for creating strong, yet easily remembered passwords: Password Selection Guidelines.
Recommendation
- Use of multi-factor authentication (MFA) to protect your UH credentials (username and password) is highly recommended (more information).
Questions and Answers
- Question: why do we need stronger passwords? They are harder to create and remember.
- They are much more secure and do a much better job of protecting your privacy. The UH ITS Security office has seen a number of UH Username compromises. Weak passwords are one of the reasons why UH Usernames get compromised. There is an abundance of software on the internet designed to probe our services and test for weak passwords. Additionally, the University has joined the InCommon Federation so that members of the UH community man access additional resources with their UH credentials (UH Username and password). The InCommon Federation provides operational guidelines specifying, among other things, strong passwords.
- Question: do passwords expire? Are we going to have to change our passwords periodically?
- No. At this time passwords are not aged and do not expire.
- Question: I already have a strong password. Will I have to change it when the new policy is implemented?
- Not at this time. At some point in the future you may be required to change your password so that we have recorded the fact that you have created a strong password.
- Question: If I change my password now, will it have to be one of the new, strong passwords?
- Yes. Once this policy is in effect (see effective date above), all new and newly changed passwords will adhere to the strong passwords rules.
- Question: Why are some passwords disallowed?
- To address two issues, known passwords are disallowed. The first issue is attacks that apply a list of known compromised passwords to attack to a set of usernames to see if a working combination can be found. This attack earned its own name, the "credential stuffing attack." The second issue is the known (bad) practice where individuals use one password with more than one account, for example, with both school and social accounts. A comprise that reveals the password in one place allows the password to be used for attacking similarly named accounts elsewhere.