Date Established: 4/29/2008
Date Last Revised: 11/1/2013
Category: Information Technology
Responsible Office: Enterprise Infrastructure Services
Responsible Executive: Chief Information Officer
University at Buffalo (UB) relies upon the use of university-provided digital credentials – for example, your UBITName and password – to provide authentication for access to UB online IT resources and information. Passwords constitute a first line of defense to protecting access to university information and information systems. Any compromise of authentication credentials used by the university community impacts the confidentiality and integrity of university IT systems and information. Users are required to create strong passwords and secure and to protect their university passwords.
Individual Accountability: All users of university systems are individually assigned a user-id (i.e., UBITName) and password for the purpose of accessing UB online systems. In accordance with UB “acceptable use policies,” users are individually accountable for activities performed with their user-ids and passwords. Passwords may not be shared with anyone, including with administrative assistants or secretaries. UB passwords are considered to be Category 1 - Restricted Data.
Password Security: Passwords for UB systems should not be identical to those used for personal or on-UB online accounts.
Password Strength Requirements: User and system passwords shall be constructed with strength and complexity that minimize the likelihood of successful password guessing or brute force attacks. Passwords with strength and complexity must have the following characteristics:
Good passwords must be easy for you to remember. To create passwords that can be easily remembered, use the basis of something you know well, such as a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
Password Refresh (Aging): Passwords shall be refreshed periodically to reduce the impact of disclosure due to undetected theft of passwords. Passwords must be changed on a more frequent basis that depends on the risk to the information being managed, processed, or stored. If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the user shall take immediate steps to change and protect the password.
Systems that do not use UBITNames for authentication or authorization and which do not have a tie to an automated process for userid disabling after separation from the university should be reviewed for possible inclusion in the UBITName system or have some automatic account disablement implemented.
At a minimum, monthly reviews of access should be performed for all systems handling sensitive data, regardless of their authentication method.
The purpose of this policy is to establish minimum standards for the protection, complexity, and refresh interval for university passwords. The application of individual accountability and the principle of least privilege are applied in this policy.
This policy applies to all users who have user or system accounts in any IT systems that interface with UB authentication systems.
|Information Security Officerfirstname.lastname@example.org|