Main Menu Dept. of Technology Services Search

Enterprise Password Standards Policy

DTS POLICY 4000-0002


Status: Active Policy
Effective Date: April 15, 2013
Revised Date: May 14, 2013
Approved By: Michael Hussey, CIO
Authority: UCA §63F-1-103; UCA §63F-1-206; Utah Administrative Code


Document History

Originator: Richard Madsen, DTS Hosting Director
Next Review: April 2019
Reviewed Date: April 2018
Reviewed By: Phil Bates, Chief Information Security Officer


1.0 Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

1.1 Scope

The scope of this policy includes all State employees, contractors, temporary workers, volunteers and others who have access to State of Utah information resources with user ID and password authentication. All user IDs created on any State computing system or device must have an associated password that meets the standards of this policy. It is the responsibility of the State employee, contractor, temporary worker, volunteer, or other to adhere to this policy.

1.2 Background

Common, default or shared passwords are ineffective and aid hackers and others in their illicit attempts to access systems and confidential data within the State of Utah. Protecting the State of Utah computers, systems, and data from unauthorized access is of preeminent importance. Strong passwords play a critical role in preventing unauthorized access.

1.3 Exceptions

A business case for non-compliance must be established and the request for exemption approved in advance through a risk acceptance process where the Chief Information Officer or authorized designee is notified and approval for the exception is granted.

2.0 Definitions

User IDs and passwords protect the integrity of information, provide authentication, control access, and establish user audit capabilities within the State of Utah computing environment and information resources. The combination of a user ID and password provide individual user validation that the person is authorized to access the system or device.

A Supervisor level password would include administrative privileges to both applications and systems. Examples might be system access to an operating system on a server by a system administrator or the ability to manage an application by an application administrator or power user.

User level passwords include basic access to applications and systems. An example would be things like access to email or a business application such as Finet.

3.0 Policy

3.1 Frequency of Change

  • All supervisor level passwords (e.g., root, enable, sys admin, privileged accounts) must be changed every ninety days, or when someone with administrative privileges, or a possible knowledge of those passwords, leaves the organization, or is no longer performing duties that require supervisor level permissions.
  • All user level passwords must be changed at least every ninety days.
  • A history of a user’s ten most recently used passwords will be maintained to restrict their reuse.
  • After three consecutive unsuccessful password attempts a user account will be disabled until the password is reset by the user. 
    Note: Users can reset passwords following the “Recover Account” link under Forgot your password on http://login.utah.gov/. 

3.2 General Password Construction Guidelines

All supervisor and user level passwords must conform to the guidelines as described in this section. Selecting a strong password is of the utmost importance.
Strong passwords have the following characteristics:
  • A password should be at least eight characters in length.
  • Passwords must not include any portion of your name, address, date of birth, Social Security Number, username, nickname, family name, pet name, sports team name or word that appears in a dictionary or any such word spelled backward.
  • Passwords must have a combination of letter, numeric digits and special characters.
  • Passwords must include at least one character from three of the following attributes:Uppercase characters (A-Z)
    • Lowercase characters (a-z)
    • Numeric Characters (0-9)
    • Special Characters (i.e. !, @, #, $, %, ^, &, *, ))
  • When changing a password it is not acceptable to simply add a number to the end of a previously used password. Example {password88, password89, etc.}

3.3 Password Creation Suggestions

  • Users should try to create passwords that can be easily remembered but not easily guessed. One way to do this is to create a password based on a song title, affirmation, or other phrase.
  • Examples of ways to create passwords:
  • “At work I am on my best behavior.” The password could be: “@wIaombb”
    “Money is a good asset to have.” The password could be: “$isaga2h”
    “The number 7 is a lucky number.” The password could be: “T#7isal#”

3.4 Password Protection Standards

  • Passwords must never be sent in clear text over the network. This includes e-mail, chat, instant messaging, or any other non-secure form of information transfer.
  • Passwords should never be stored in unsecured places, such as written down on a sticky note or saved unprotected on-line.
  • Passwords used for the State of Utah computing environment and information resources should be different than those used for personal accounts (e.g., a personal ISP account or personal email accounts, benefits, banking etc.).
  • User IDs and passwords should never be shared with anyone, including administrative assistants, coworkers, family members, a local network administrator, desktop technician, or supervisor.
  • All passwords are to be treated as sensitive, confidential State of Utah information.

3.5 If a Password or User ID is Compromised

Any time a user ID or password is suspected of being compromised, the password must be changed immediately, or a request made that the account be disabled. 

3.6 Enforcement

Violation of this policy may be the basis for discipline including but not limited to termination. Individuals found to have violated this policy may also be subject to legal penalties as may be prescribed by state and/or federal statute, and/or regulation.