[unisog] Password policies

Leinweber, James jiml at mail.slh.wisc.edu
Wed Apr 19 15:23:48 GMT 2006

> We are looking at strengthening our password policy as part 
> of a web single sign on project.
> When we presented a proposed password policy, we were asked, 
> What do other Universities do?

In a similar situation, the new CSO at the University of
Wisconsin - Madison recently put through a "baseline password
standard" which you can find at:


We also now have a pretty nice advice page on managing passwords at:


Specific answers:

> 1. Do you have a password requirements policy?


> 2. Do you mandate password changes?

Sort of.

> 3. If so what is the frequency of these changes?

Changing at least every six months is strongly encouraged.
HIPAA regulated components must change every two years.

> 4. What are your password complexity rules?

Length >= 8, minimum 3 kinds of characters (lower
case alphabetic, upper case alphabetic, numeric, special)

> 5. What are your password history rules?

None mandated university-wide, due to a decentralized and horribly
diverse IAA infrastructure, but major differences are
strongly recommended.  Individual departments often enforce
some kind of history, usually not repeating the last 3-7 or so.

-- James E. Leinweber, BadgIRT volunteer
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml at slh.wisc.edu> 2811 Agriculture DR; phone +1 608 221 6281
PGP fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179   5C6B C8B9

More information about the unisog mailing list