IMST 02: Password Management Standard
Information Classification - Public
Purpose
This standard describes the minimum requirements for the creation and handling of authenticators such as passwords, PINs and encryption keys.
Scope
The standard covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.
Responsibilities
Each individual is expected to create and maintain their own personal passwords, PINs and encryption keys and it is vital that these are not divulged to anyone under any circumstances. Shared passwords, PINs and encryption keys, e.g. for keypad operated key safes, must only be shared on a need-to-know basis.
Heads of Departments (or equivalent), or nominated deputies are responsible for ensuring that this standard is adhered to in their respective departments, and for its communication to their staff as appropriate.
The Chief Information & Transformation Officer (CITO) retains overall accountability for this standard. The Chief Information Security Officer (CISO) has delegated authority for ensuring the standard meets legal and regulatory requirements; for keeping this standard up to date; and for ensuring that controls, checks and audits are carried out as part of compliance with this standard.
Role | Function |
---|---|
Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators) | Responsible - for overseeing the use of the standard, within areas of responsibility |
Head of Department | Accountable - for use of the standard within departments |
Information Risk and Compliance Team (with escalation to CISO and CITO required) | Consult - to discuss organisational level use of the standard |
IDG Digital Business Partners | Inform - must be informed of the content of the standard to communicate it to their departments |
Password composition
- All user passwords must have a minimum length of 12 characters.
- In line with NCSC guidance, the use of passwords consisting of three random words is advocated.
- Minimum levels of complexity for passwords are purposefully not enforced and they are not required to have a mix of cases, symbols and numbers unless prescribed by the system in question.
Password history and expiry
- When changing a password, users must not use any previously used passwords nor make a simple incremental change to a number or letter.
- Fixed expiry dates for passwords must not be set as they encourage the use of weak passwords.
Multi-factor authentication
- All University of Warwick user accounts require multi-factor authentication.
- In addition to a password, where MFA is applied, users must authenticate via an authenticator app or a University-issued physical authenticator fob. SMS multi-factor is less secure and should only be used where no other option is available.
- Device administrators must ensure that users are required to authenticate via MFA on all new devices. Devices must be reauthenticated via MFA at least once per year following this.
Failed login attempts
- Users will be permitted no more than 10 consecutive failed login attempts after which their account will be locked and require unlocking via the IDG Service Desk.
- Where feasible, the time between failed login attempts will increase, up to a maximum of one hour, until the login attempt limit has been reached.
Required practices for users
- All users are required to register their accounts via an account registration page, this includes setting up a secure password and MFA on their account. Where users are issued with an initial temporary password they must log in to their account and change this as soon as possible.
- Passwords used for any accounts outside of the University of Warwick must never be used for University of Warwick accounts.
- Passwords used for University of Warwick accounts must never be used for accounts outside of the University of Warwick.
- Passwords for University of Warwick accounts must never be shared with anyone, even if requested by IDG staff members.
- If users have multiple University of Warwick accounts, a different password must be used for each account.
Shared accounts
- Alternative forms of authentication to shared passwords (such as delegated privileges, password management software) must be used where possible.
- In rare instances where it is necessary for a password to be distributed to more than one person, passwords must not be communicated through insecure channels such as unencrypted email. Passwords transmitted or stored in a ‘plain text’ format are at high risk of being stolen or misused. Therefore, passwords must not be shared in plain text but separately and using encrypted means.
- Shared credentials must be stored securely in either secure password management software or in an encrypted folder only accessible to those who are required to access the credentials.
- Shared passwords must only be shared and accessible to those with a business need for them. When an individual no longer requires access, the shared password must be reset.
Privileged account authentication
- Privileged user accounts require a higher level of stringency in authentication than standard user accounts.
- Privileged user accounts must have a minimum password length of 20 characters unless advanced MFA measures can be applied to the account.
PINs
- PIN numbers for devices, electronic locks for physical spaces and any other instance where a numerical PIN is applied as an access control must have a minimum length of 6 characters.
- PINs must not be easy to guess, (e.g. 123456, 111111).
Storage and transmission
- The use of dedicated password management software is encouraged.
- Password memorisation features for web browsers may expose passwords to theft and should therefore not be used.
- Passwords must never be stored in a physical record such as paper.
- Users must not keep records of passwords for individual user accounts other than via secure password management software.
- Passwords must never be transmitted via unencrypted protocols. (e.g. open and/or public Wi-Fi networks, websites whose address starts with ‘http’ rather than ‘https’).
- Users are not permitted to transfer passwords over email, chat services, SMS or phone at any time without authorisation via the exceptions process.
- Passwords must not be used to protect documents from unauthorised viewing, unless it is in accordance with IMST 03 Handling Information Standard, as these passwords cannot be recovered if lost or forgotten.
Practices for administrators and developers
- Administrators and developers must have the ability to enforce the requirements laid out in this standard.
- Passwords must under no circumstances be stored in plain text.
- Salting and hashing using a modern hashing algorithm must be applied in any password storage mechanism.
- Passwords must be checked against password deny lists in order to prevent the use of common or insecure passwords.
- Single Sign-On should be done via IDG Azure AD/Microsoft Entra. If SSO cannot be implemented MFA must be enforced and access managed by the service owner of the application.
API keys
- Keys must never be embedded directly into code.
- Keys must be stored appropriately, such as in a password manager, and must not be exposed in public repositories.
- Granular access controls are to be implemented to limit the scope and permissions of each key.
- Key usage is to be monitored with keys being rotated every 90 days.
Exceptions
‘Exception requests’ under this standard are processed through the IDG exceptions process with the delegated authority of the CITO.
Activities that have received prior approval by the Research Governance and Ethics Committee are not required to go through the exceptions process.
This standard may have an impact on users of assistive technology or assistive software due to their circumstances. These individual cases will be considered on a case-by-case basis.
References
This standard has been prepared with reference to:
- Gartner - ID G00784559 - Craft a Simple, Effective Password Policy.
- National Institute of Standards and Technology (NIST) - Cyber Security Framework 2.0 (Function - Protect - PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization).
- National Cyber Security Centre (NCSC) - Password administration for system owners.
Version/document control
Version | Date created | Date published | Next review | Notes/outcomes |
---|---|---|---|---|
1.0 | Nov 2024 | 27 May 2025 | 27 May 2026 |