GatorLink Password Management Policy
(Effective May 5, 2004)
The University of Florida (UF) is committed to a secure information technology environment in support of its missions. With the implementation of new integrated, real-time computer systems and single sign-on accessibility via the myUFL portal, the need for a strong password policy is greater than ever.
The GatorLink username and password is the University standard username and password for authentication for all new information systems. The University uses a role-based approach for providing access to these systems. Each person affiliated with UF has one or more security roles. Each security role has an associated password policy. If an individual has several roles, with conflicting password policies, the “strongest” policy applies.
This policy is guided by the following principles:
- Five levels of password policy are necessary, each with a different set of requirements for password creation and reset. (See Attachment A).
- The assignment of a password policy is based on an individual’s security role(s) and is not an automatic result of an affiliation or staff position.
- Passwords must include three of the following four elements—upper case letters, lower case letters, digits and punctuation. Passwords may not contain words found in a dictionary.
- Passwords will expire during UF Help Desk business hours.
GatorLink passwords and security roles—and the resulting association of password policy to a user—are held in the PeopleSoft Enterprise Portal system (myUFL) and managed by UF Bridges.
Appendix Table A: GatorLink Password Policy Matrix
P1 : Entry. For example: Vendors, guests, student applicants, HR applicants |
||
P2 : Low. Example: Access to information only about yourself. |
||
P3 : Medium. Example: Access to information about others. Provide data at unit level. |
||
P4 : High. Example: Access to information at the institutional level |
||
P5 : Rigorous. Example: Control institution systems. |
||
Attribute |
P1 |
P2 |
P3 |
P4 |
P5 |
1. Minimum length of password |
8 |
8 |
8 |
9 |
9 |
2. Password is character checked |
Yes |
Yes |
Yes |
Yes |
Yes |
3. Maximum age of password (in days) |
365 |
365 |
180 |
90 |
90 |
4. Days of daily expiration warnings |
14 |
14 |
14 |
14 |
14 |
5. Password minimum age for reset (in days) |
1 |
1 |
1 |
1 |
1 |
6. Password uniqueness/history |
200 |
200 |
200 |
200 |
200 |
7. Failed attempts before lockout |
20 |
20 |
20 |
20 |
20 |
8. Lockout duration in minutes |
30 |
30 |
30 |
30 |
30 |
9. May reset via Self-service web |
Yes |
Yes |
Yes |
No |
No |
10. May reset via Help Desk phone |
Yes |
Yes |
Yes |
No |
No |
11. May reset In person |
Yes |
Yes |
Yes |
Yes |
Yes |
12. Must read AUP on reset |
Yes |
Yes |
Yes |
Yes |
Yes |
13. Must take quiz once per year |
No |
Yes |
Yes |
Yes |
Yes |
14. Must complete security class before account is issued |
No |
No |
No |
Yes |
Yes |
15. Must use 2-factor authentication |
No |
No |
No |
No |
Yes |
16. Account is expired if password is cracked |
No |
No |
No |
Yes |
Yes |
Attribute Notes:
- Each GatorLink password must have a minimum length as shown in the table. The maximum length is not defined by policy.
- Each attempt to change a password is checked to ensure that the new password conforms to the character requirements. Passwords must include three of the following four elements—upper case letters, lower case letters, digits and punctuation. Passwords may not contain words found in a dictionary.
- Passwords expire after a specific number of days as shown in the table. The expiration date is always set to a UF Business day.
- When the current date is close to the date of password expiration, messages will be sent each day to the user’s university business email address indicating that the password is about to expire and giving instructions for resetting the password.
- The password minimum age for reset ensures that passwords are not reset multiple times in the same day. This prevents “password cycling” – resetting passwords multiple times until a favorite password is once again permitted (see next note).
- Password uniqueness/history counts the number of passwords stored by the system to ensure that a password is not reset to one that was previously used.
- Failed attempts before lock out counts the number of attempts a user may have to enter a correct username and password before the account is locked out and may not be accessed.
- Once an account is locked out, a specific amount of time must pass before the account is automatically unlocked, the failed attempts count is set to zero and the user may again attempt to enter a correct username and password.
- Self-service web reset is the ability to change a password to something known, even if the user does not currently know their password. This is done using a secret question and answer provided by the user in advance of the password reset. Such methods are common at e-commerce web sites.
- Some users may be able to have their password reset by calling the UF Help Desk.
- Users may be able to reset their password by appearing in person with a photo ID.
- Users may be required to read and accept the University Acceptable Use Policy (AUP) which describes appropriate use of university information technology resources. The AUP is available on-line at http://www.it.ufl.edu/policies/aupolicy.html
- Users may be required to take a brief quiz to demonstrate that they have read and understand basic principles of information security and privacy.
- Users may be required to complete a University security practices class.
- Users may be required to use more than single factor authentication (username and password). The second factor would be biometric or other physical token. Specifications for second factor authentication will be developed in the future.
- The University may attempt to crack the passwords of some users. If a password is cracked, the user will be notified, the account disabled and the password must be reset.
