Main Menu Dept. of Technology Services Search

Enterprise Password Standards Policy

DTS POLICY 4000-0002

Policy Type: Enterprise
Section/Group: Security
Authority: UCA §63F-1-103; UCA §63F-1-206; Utah Administrative Code

Document History

Original Submission

Submitted On: NA
Submitted By: Richard Madsen, DTS Hosting Director
Approved By: Michael Hussey
Issue Date: NA
Effective Date: 04/15/2013


Last Revised Date: 06/03/2020
Last Revised By: Anna Tribolet
Last Approved By: Stephanie Weteling


Last Reviewed Date: 05/20/2020
Last Reviewed By: Phil Bates
Next Review: 05/20/2021

1.0 Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

1.1 Scope

The scope of this policy includes all State employees, contractors, temporary workers, volunteers and others who have access to State of Utah information resources with user ID and password authentication. All user IDs created on any State computing system or device must have an associated password that meets the standards of this policy. It is the responsibility of the State employee, contractor, temporary worker, volunteer, or other to adhere to this policy.

1.2 Background

Common, default or shared passwords are ineffective and aid hackers and others in their illicit attempts to access systems and confidential data within the State of Utah. Protecting the State of Utah computers, systems, and data from unauthorized access is of preeminent importance. Strong passwords play a critical role in preventing unauthorized access.

1.3 Exceptions

A business case for non-compliance must be established and the request for exemption approved in advance through a risk acceptance process where the Chief Information Officer or authorized designee is notified and approval for the exception is granted.

1.4 Annual Review

In order to ensure that this policy is current and effective, DTS will review the policy annually and will make changes as needed.

2.0 Definitions

User IDs and passwords protect the integrity of information, provide authentication, control access, and establish user audit capabilities within the State of Utah computing environment and information resources. The combination of a user ID and password provide individual user validation that the person is authorized to access the system or device.

A Supervisor level password would include administrative privileges to both applications and systems. Examples might be system access to an operating system on a server by a system administrator or the ability to manage an application by an application administrator or power user.

User level passwords include basic access to applications and systems. An example would be things like access to email or a business application such as Finet.

3.0 Policy

3.1 Frequency of Change

  • All supervisor level passwords (e.g., root, enable, sys admin, privileged accounts) must be changed every sixty days, or when someone with administrative privileges, or a possible knowledge of those passwords, leaves the organization, or is no longer performing duties that require supervisor level permissions.
  • All user level passwords must be changed at least every ninety days.
  • A history of a user’s twenty-four most recently used passwords will be maintained to restrict their reuse.
  • After three consecutive unsuccessful password attempts, the first lockout is ten minutes, the second lockout is thirty minutes, and the third lockout is ninety minutes.

Note: Users can reset passwords by going to and clicking Forgot Password. Users can also refer to the instructions at for additional guidance.

3.2 General Password Construction Guidelines

All supervisor and user level passwords must conform to the guidelines as described in this section. Selecting a strong password is of the utmost importance.
Strong passwords have the following characteristics:

  • A password should be at least eight characters in length.
  • Passwords must not include any portion of your name, address, date of birth, Social Security Number, username, nickname, family name, pet name, sports team name or word that appears in a dictionary or any such word spelled backward.
  • Passwords must have a combination of letter, numeric digits and special characters.
  • Passwords must include at least one character from three of the following attributes:
    • Uppercase characters (A-Z)
    • Lowercase characters (a-z)
    • Numeric Characters (0-9)
    • Special Characters (i.e. !, @, #, $, %, ^, &, *, ))
  • When changing a password it is not acceptable to simply add a number to the end of a previously used password. Example {password88, password89, etc.}

3.3 Password Creation Suggestions

  • Users should try to create passwords that can be easily remembered but not easily guessed. One way to do this is to create a password based on a song title, affirmation, or other phrase.
  • Examples of ways to create passwords:
  • “At work I am on my best behavior.” The password could be: “@wIaombb”
    “Money is a good asset to have.” The password could be: “$isaga2h”
    “The number 7 is a lucky number.” The password could be: “T#7isal#”

3.4 Password Protection Standards

  • Passwords must never be sent in clear text over the network. This includes e-mail, chat, instant messaging, or any other non-secure form of information transfer.
  • Passwords should never be stored in unsecured places, such as written down on a sticky note or saved unprotected on-line.
  • Passwords used for the State of Utah computing environment and information resources should be different than those used for personal accounts (e.g., a personal ISP account or personal email accounts, benefits, banking etc.).
  • User IDs and passwords should never be shared with anyone, including administrative assistants, coworkers, family members, a local network administrator, desktop technician, or supervisor.
  • All passwords are to be treated as sensitive, confidential State of Utah information.

3.5 If a Password or User ID is Compromised

Any time a user ID or password is suspected of being compromised, the password must be changed immediately, or a request made that the account be disabled.

3.6 Enforcement

Violation of this policy may be the basis for discipline including but not limited to termination. Individuals found to have violated this policy may also be subject to legal penalties as may be prescribed by state and/or federal statute, and/or regulation.