Handbook of Operating Procedures > Series 700 Information Resources > 7.5.15 Passwords

7.5.15 Passwords

A. Purpose

To protect information and information resources from unauthorized access, disclosure, modification or destruction, users are responsible for maintaining the confidentiality of their password or/passphrase and for selecting strong password or/passphrase in accordance with the requirements established by the Information Security Officer. The Information Security Office recommends that users use passphrases (a series of words with spaces in between) that are easier for users to remember but more difficult for other humans or machines to guess.

B. Persons Affected 

This policy applies to All individuals accessing University of Texas at Tyler (the "University") information or information systems; All individuals associated with or on the premises of the University, including without limitation employees, faculty, clinical residents and fellows, postdoctoral scholars, students, patients, visitors, volunteers, contractors, commercial tenants, and vendors; University computers or other information resources owned, leased, administered, or otherwise in the custody and control of the University, wherever located.

C. Definitions

N/A

D. Policy

Password or/Passphrase Requirements

1. Password or/passphrase must be unique to University, and must not be used for any other online services, such as shopping, financial accounts, or other personal email accounts. These types of personal accounts are frequently compromised, and password or/passphrase re-use exposes the University to fraudulent access.
2. All University information resources (including applications) should adhere to the following password or/passphrase requirements:
   1. Password or/passphrases must consist of a minimum of ten (10) characters;
   2. Password or/passphrase expiration is not required;
   3. Password or/passphrase complexity such as upper/lower case, and/or symbols are not required;
   4. Spaces are allowed.
3. Users must change their password or/passphrases after any suspected password or/passphrase compromise (i.e., a computer virus, a successful phishing attempt, etc.)
4. Password or/passphrases may not be reused.

Password or/Passphrase Security

1. Ensure user identity when issuing or resetting a password or/passphrase
2. Password or/passphrases are considered confidential information of the University. When it is necessary to record a password/passphrase, the password or/passphrase must be stored securely.
3. Lock access to idle sessions and require password or/passphrase to unlock (e.g., screen saver, session time-outs)
4. Account must be set to lockout after 5 or more failed login attempts
5. System administrators will immediately require password or/passphrase changes for certain security events that have the potential for security compromises. Examples include but are not limited to employee transfers, password or/passphrase guessing attempts, or employee separations.
6. All users leaving the University will have their accounts disabled within 24 hours. All system administrators leaving a department or unit will have their accounts disabled immediately.
7. Sharing of user IDs or password or/passphrases is strictly and explicitly forbidden.

Disciplinary Actions

Violation of this UTS 165 or other U. T. System or Institutional Information Security Policies or Standards by faculty, staff, and students who have access to U. T. System Information Resources or Data for the purpose of providing services to or on behalf of an Institution, are subject to disciplinary action in accordance with the applicable Institutional rules and Policies. For contractors and consultants, this may include termination of the work engagement and execution of penalties contained in the work contract. For interns and volunteers, this may include dismissal. Additionally, certain violations may result in civil action or referral for criminal prosecution.

E. References

• HIPAA 45 C.F.R Part §164, Subpart C
• Texas Department of Information Resources (TDIR) Policy, Section 1 Texas Administrative Code (TAC) §§202.1 – 202.8
• University of Texas System Policy UTS 165 – Information Resources Use and Security
• NIST 800-63B

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.