Purpose - The UTSA Password Standard establishes the rules for the creation, distribution, safeguarding, termination and reclamation of the UTSA user authentication mechanisms.

Audience - The UTSA Password Standard applies equally to all individuals who use any UTSA information resource (IR).

1. User account passwords must not be disclosed to any other user. The Office of Information Technology (OIT) staff and contractors will not ask users for their passwords.

2. Users must not circumvent password entry with procedures such as automatic logon, application remembering, embedded scripts or hard-coded passwords in client software. Exceptions may be made for specific applications (for example, automated backup) with the approval of the UTSA Information Security Officer (ISO). If an exception is granted, there must be a procedure in place to change the applicable passwords.

3. OIT Support Services (Help Desk) password change procedures must include the following:

   1. Authenticate the user to the OIT Support Services (Help Desk) (before changing password) by UTSACard or picture ID or the establishment and use of a security question system

   2. Change to a strong password – the requirements are outlined below

   3. Require user to change password at first login

4. All passwords, including initial passwords, must be constructed and implemented according to the university’s IR rules:

   1. Password must be routinely changed, according to schedules established by OIT

   2. Password must avoid tie-ins to the account owner such as user name, social security number, nickname, relative’s name, birth date, etc.

   3. Password must not be an acronym or a word found in a dictionary.

   4. Password must contain at least 8 characters including a mix of upper and lower case characters and have at least 2 numeric characters. The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits.

   5. Password history must be kept to prevent the reuse of a password.

   6. The display and printing of passwords must be suppressed such that unauthorized personnel will not be able to observe or subsequently recover them.

   7. Stored passwords must be encrypted.

   8. Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with UTSA.

   9. System administrators must not circumvent the Password Standard for the sake of ease of use.

   10. All vendor supplied/default passwords must be changed before any computer or communications system is connected to the UTSA network

   11. Computing devices must not be left unattended without enabling a password-protected screen saver or by logging off the device.

   12. If the security of a password is in doubt, the password must be changed immediately. In the event passwords are found out or exposed/ discovered, the following steps must be taken:

       1. Take control of the passwords and protect them

       2. Report the discovery to the OIT OIT Support Services (Help Desk)

   13. Passwords must be changed every 180 days.