University at Buffalo Crest.

Policy Information

Date Established: 4/29/2008
Date Last Revised: 5/25/2021
Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer

Policy Contents

On this page:

UBITName Password Policy

Summary

Compromised digital credentials can adversely affect the confidentiality and integrity of university information technology systems and information. Therefore, UBITName account holders are required to create strong passwords and protect the privacy of their password.

Policy Statement

The University at Buffalo (UB, university) is committed to ensuring the confidentiality, integrity, and availability of its online information technology (IT) resources and information systems. Digital credentials are a fundamental component of the university's approach to information security. A UBIT digital credential is composed of a UBITName and its associated password. UBITName account holders must create strong passwords and protect password privacy to prevent and minimize compromised digital credentials.

A UBIT digital credential:

  • Is classified as Category 1 - Restricted Data
  • Must not be shared or disclosed
  • Must be protected from unauthorized use
  • For a group account, the digital credential may be shared or disclosed only with those who are authorized to access the group account

UBIT passwords must be:

Sanctions

Violators of this policy will be subject to the existing student or employee disciplinary procedures of the university. Sanctions may include loss of computing privileges. Illegal acts involving UB computing resources may also subject users to prosecution by state and federal authorities.

Background

This policy establishes minimum standards for UBITName passwords. This policy applies individual accountability to the protection of university passwords.

UB relies on a digital credential to validate a person’s identity. This process enables authorized individuals to access online IT resources and information systems. A digital credential constitutes a first line of defense in protecting access to online IT resources and information systems.

Technical protective measures in response to violations of this policy, detection of UBIT digital credential compromise, or password exposure may include suspension, password-reset, disabling UBITNames, de-registration or removal from wired and wireless network access, and loss of access to systems or file shares with little or no notice. Reactivation or reinstatement may require coordination with the UBIT Help Center.

Applicability

This policy applies to all individuals with customer accounts and system accounts in any university IT system capable of interfacing with university authentication systems.

Definitions

Password

Consists of a string of letters, numbers, punctuation, spaces, and other characters. The term password and passphrase are often used interchangeably.

UBIT Digital Credential

Composed of both a UBITName and its associated password. A UBIT digital credential is classified as Category 1- Restricted Data.

  • Is used to partially or fully validate (authenticate) identity in order to access online IT resources and information systems
  • Provides full identity validation (authentication) for IT systems that do not require multi-factor authentication
  • Used in conjunction with an additional factor, is required for full identity validation (authentication) for IT systems requiring multi-factor authentication

UBITName

University username used to log into a variety of campus services that require authentication or identify verification.

Responsibility

Information Security Officer

  • Review compliance as specified in this policy on a periodic basis.

UBITName Account Holders

  • Maintain a secure and complex university password in accordance with the guidance to Create a Secure UBITName and Password or Passphrase.
  • Monitor activities performed with their UBITName and password.
  • Do not share passwords.

Vice President and Chief Information Officer

  • Oversee the implementation of information security and privacy policies.

Contact Information

Contact An Expert
Contact Phone Email
Information Security Office 716-645-6997 sec-office@buffalo.edu
Vice President and Chief Information Officer 716-645-7979 cio@buffalo.edu
UBIT Help Center 716-645-3542 ubithelp@buffalo.edu

Related Information

University Links

History

Policy Revision History
May 2021 Full review. Updated the policy to:
● Revise the following:
   ◦ Policy Statement
     State the university's commitment to ensuring the confidentiality, integrity, and availability of its online information technology (IT) resources and information systems
     State the requirements of UBIT digital credentials and passwords
     Include a reference to creating a secure UBITName password or passphrase
    Background section
     Include examples of protective or corrective measures
● Remove the following sections:
   Password Strength Requirements
   Password Refresh (Aging)
   System Requirements
● Add the following sections:
   Sanctions
   Definitions
   Responsibility

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President

5/25/2021

Date