Skip to content. | Skip to navigation

Personal tools
You are here: Home Policies and Standards InfoSec Policies & Standards ISO PS008 Passwords

ISO PS008 Passwords

Policies and Standards
ISO PS008 Passwords
[Previous]  [Next]  [Policy Home]

Policy Name: Passwords
Policy Number: IS PS008
Effective Date: July 23, 2007
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew H. Witten
Contact Email:
Approved By: Compliance Oversight Council
Version: 1.3



All computer accounts must be password protected to help maintain the confidentiality and integrity of electronic data as well as to help protect the University's computing resources and infrastructure. This policy establishes a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change.



Administrative Standards:


  • Passwords to university accounts and devices must be kept confidential. 
  • To preserve account integrity, the owner of the account should be the only person with knowledge of the password. 
  • No user is required to share a university account password with another individual; including but not limited to managers, co-workers, or technical staff.
  • Passwords that have been or suspected to have been compromised must be changed immediately.

UofL Network and/or Enterprise Software Accounts
(In addition to the general standard above, these standards apply to UofL network and enterprise software accounts)

  • Account holders should set up their challenge questions to facilitate self-service password resets (go to ULink).
  • Notification of password expiration will be provided to account holders 30 days in advance of the password expiration and three additional times: 15, five, and one day before expiration.
  • Passwords used for shared accounts should be changed immediately if compromised or when a holder transfers or leaves the university.
  • Passwords allowing for temporary access to production environments for problem resolution should be changed immediately following use.
  • Initial access passwords should be changed immediately upon login.
  • Passwords or pass phrases should be encrypted and not stored in clear text.

Technical Standards:


  • Passwords should expire every 90 days.
  • Passwords to systems containing sensitive information, including electronic Protected Health Information (ePHI) must expire no less often than every 90 days.
  • Passwords should be at least 8 positions in length.
  • Passwords to systems containing sensitive information, including ePHI must be at least 8 positions in length.
  • Strong passwords should be used. A strong password will include a combination of:
    • Alphabetic
    • Combination of both upper and lower case: A to Z and a to z
    • Numeric: 0 to 9
    • Special Characters such as: ~!@#$%^*( )+=[ ] { } ?, etc.  Please Note: The special characters not allowed are  > < ; and &
  • Passwords to systems containing sensitive information, including ePHI, must require at least three or the four criteria specified immediately above.
  • Passwords should not consist solely of personal information or words found in a dictionary (any language). Ideally, this information should not be used. If used, the use of at least two of the three types of strong password characters noted above as part of the password is required.
  • Password use and security can be facilitated using the password hint web site. For more information go to ULink and see the "Password Self Service" section.
  • Password history must be securely maintained and passwords not repeated for a period of 24 months or equivalent iterations.
  • Access accounts will be locked after 6 consecutive unsuccessful login attempts.

UofL Network and/or Enterprise Software Accounts
(In addition to the general standards above, these standards apply to UofL network and enterprise software accounts)

  • Expiring passwords should be used for privileged accounts wherever feasible.
  • Passwords (individual and shared accounts) should expire every 90 days and meet the sensitive information complexity requirements.
  • Software that is unable to comply with the minimal password standards must establish compensating controls to maintain equivalent protection.



All persons while conducting/performing work, teaching, research or study activity or otherwise using university resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.


The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with university leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.


This policy will be reviewed annually to determine if the policy addresses university risk exposure and is in compliance with the applicable security regulations and university direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the policy management process.


Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the university and/or action in accordance with local ordinances, state or federal laws.



Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

1.1 / January 31, 2011 / Revised special characters accepted

1.2 / November 16, 2011 / Statement that passwords are to be known only by the owner of the account.

1.3 / January 29, 2013 / Content Update


This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council


Document Actions
Personal tools