Search Information Security site

 

Authentication Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) User Authentication Requirements
     b) Current Minimum Password Implementations by Area
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

In order to protect the confidentiality, integrity, and availability of the University’s information technology (IT) resources, appropriate authentication of users attempting to log into such resources is required.  For all University IT resources providing access to any non-public data, all users must authenticate by providing a set of credentials.

Users must not divulge or share passwords, PINs, private keys, hardware tokens, or similar authentication elements to anyone else, and they must not exploit sessions left open, or otherwise misappropriate or steal the “identity” of another user.  

This standard applies to all users.

[Table of Contents]

2. Standards

User Authentication Requirements

UVA Medical Center (Agency 209)

Password Complexity Requirements

The user authentication standards for the UVA Medical Center provisioned accounts are provided here Password Management page

All Other UVA Departments

Minimum Password Complexity Requirements for Data That is Not Highly Sensitive

All accounts with access to public, internal use and moderately sensitive University data must meet or exceed these guidelines:

Required credentials: Must provide a user ID and a password or approved physical token.

  • Preferred credentials: Should complete two-step login using 1) Information Technology Services (ITS)-generated UVA computing ID and NetBadge-acceptable password (permanent password, eservices password, UVA Health System email password) or personal digital certificate; and 2) Duo-based second step.
  • Required password length and complexity:
    Passwords with fewer than 20 characters must be more complex; meeting or exceeding the following criteria:
    • Minimum of 8 characters
    • Contain characters from at least three of the following four character classes:
      • Upper case alphabetic (e.g. A-Z)
      • Lower case alphabetic (e.g. a-z)
      • Numeric (e.g. 0-9)
      • Special characters (e.g. .,!@#$%~)
    • Expire at least every 365 days

Passwords with greater than 20 characters may be less complex; meeting or exceeding the following criteria:

  • Contain characters from at least two of the following four character classes:
    • Upper case alphabetic (e.g. A-Z)
    • Lower case alphabetic (e.g. a-z)
    • Numeric (e.g. 0-9)
    • Special characters (e.g. .,!@#$%~)
  • Expire at least every 365 days
  • Required password uniqueness: Users must not use the same password for a UVA account and a non-UVA account (e.g. Google, Facebook, Amazon).
  • Preferred password history: Current password should differ from the user’s previous 24 passwords.

Additional Password Requirements for Accessing Highly Sensitive Data

All accounts with access to highly sensitive University data must meet or exceed these guidelines:

  • UVA Identity Token combined with a VPN connection, or
  • UVA Medical Center provided software or hardware token combined with a VPN connection when not accessing HSD from within the secure clinical subnet

Other methods must be reviewed and approved by the University Information Security Office before use.

Password Requirements for Access to Server or Service Administration or Management Accounts

All accounts with access to server or service administration or management accounts must meet or exceed these guidelines:

  • Required credentials: Must provide a user ID and a password meeting length and complexity requirements referenced below
  • Required password complexity: Passwords must meet or exceed these requirements: 25 character minimum; high complexity, defined as:
    • Contain characters from at least three of the following four character classes:
      • Upper case alphabetic (e.g. A-Z)
      • Lower case alphabetic (e.g. a-z)
      • Numeric (e.g. 0-9)
      • Special characters (e.g. .,!@#$%~)
  • Required password uniqueness: Password must be unique to this use, and not be a password used for any other purpose.
  • Required two-step login process: Must complete a two-step login process. Approved methods include 1) a UVA Identity Token combined with a VPN connection, and 2) the UVA Medical Center provided software or hardware token combined with a VPN connection. Other methods must be reviewed and approved by the University Information Security Office before use.
  • Required password rotation: Passwords must be changed on a minimum 90-day rotation; immediate rotation when 1) administrative group membership changes, or 2) a security incident occurs related to the server or one of its accounts.
  • Required logging: Administrative access must be logged.
  • Preferred restrictions: Should utilize scoped privileges, multiple non-shared administrative accounts.

Endpoint Authentication Password Requirements

All accounts provisioned on endpoints (including desktops and laptops) must meet or exceed these guidelines:

  • Required credentials: Login must be protected by a password meeting one of these requirements:
    • 8 character minimum; high complexity, defined as:
      • Contain characters from at least three of the following four character classes:
        • Upper case alphabetic (e.g. A-Z)
        • Lower case alphabetic (e.g. a-z)
        • Numeric (e.g. 0-9)
        • Special characters (e.g. .,!@#$%~)
      • Expire at least every 365 days
    • 20 character minimum; low complexity, defined as:
      • Contain characters from at least two of the following four character classes:
        • Upper case alphabetic (e.g. A-Z)
        • Lower case alphabetic (e.g. a-z)
        • Numeric (e.g. 0-9)
        • Special characters (e.g. .,!@#$%~)
    • Exception: Mobile devices (e.g. smart phones and tablets) accessing UVA resources must be protected with a password/passcode of at least four (4) characters.
  • Additional credentials: Second step, biometric (e.g. facial recognition or fingerprint), pattern code, or swipe code authentication is acceptable once the password has been set.
  • Required lockout: Must be configured to lock screen automatically after a period of 10 minutes or less of inactivity, with password protection.

Current Minimum Password Implementations by Area

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form