[unisog] Password policies
jiml at mail.slh.wisc.edu
Wed Apr 19 15:23:48 GMT 2006
> We are looking at strengthening our password policy as part
> of a web single sign on project.
> When we presented a proposed password policy, we were asked,
> What do other Universities do?
In a similar situation, the new CSO at the University of
Wisconsin - Madison recently put through a "baseline password
standard" which you can find at:
We also now have a pretty nice advice page on managing passwords at:
> 1. Do you have a password requirements policy?
> 2. Do you mandate password changes?
> 3. If so what is the frequency of these changes?
Changing at least every six months is strongly encouraged.
HIPAA regulated components must change every two years.
> 4. What are your password complexity rules?
Length >= 8, minimum 3 kinds of characters (lower
case alphabetic, upper case alphabetic, numeric, special)
> 5. What are your password history rules?
None mandated university-wide, due to a decentralized and horribly
diverse IAA infrastructure, but major differences are
strongly recommended. Individual departments often enforce
some kind of history, usually not repeating the last 3-7 or so.
-- James E. Leinweber, BadgIRT volunteer
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml at slh.wisc.edu> 2811 Agriculture DR; phone +1 608 221 6281
PGP fp: 2E36 47BC DB03 57CE 86AD 19CC 41A1 9179 5C6B C8B9
More information about the unisog