Skip to Main Content
Information Technology Services

Standard 15: Passwords

  1. In order to preserve the security of UNF information resources and data, strong passwords must be used to control access to information resources. All passwords must be constructed, implemented, and maintained according to the requirements of this and other applicable policies, standards, and procedures governing password management.
  2. Strong passwords shall be used to control access to the University's information resources. All account passwords associated with the University's information resources must be constructed, implemented, and maintained according to the following, as technology permits:
    1. Must verify user identity when issuing or resetting a password;
    2. Account passwords must comply with the following password strength requirements:
      1. Be at least 15 characters in length
      2. Not previously used within the past four passwords (password history)
    3. Account passwords must not:
      1. Include personal information such as your name, phone number, social security number, date of birth, or addresses
      2. Contain a series of the same character
      3. Contain the user's account name or UNF ID
      4. Be found in a weak or breached password list
  3. All password change procedures must include the following:
    1. Authentication of the user prior to changing the password (acceptable forms of authentication include answering a series of specific questions, showing one or more forms of photo ID, etc.).
    2. The new password must comply with password strength requirements associated with the data classification for the service in question.
  4. University identity credentials (security tokens, security certificates, smartcards, and other access and identification devices) must be disabled or returned to the appropriate department or entity on demand or upon termination of the relationship with the University.