UCSF/SFGH Dean's Office - Computing & Network Services
Strong Password Requirements

Introduction

Strong passwords are an important aspect of computer security. They are the front line of protection for user accounts. Industry standards and a recent independent security review of the School of Medicine network reveal that our password policies are weak and many passwords are constructed in a manner that leave them susceptible to password cracking.

Inadequate userids and passwords are on the SANS (SysAdmin, Audit, Network, Security) Institute's list of Top Ten Security Threats. The HIPAA privacy and security regulations require greater password management vigilance to protect patient information. It is therefore imperative that the School does more to strengthen its password policies and improve the overall security of its systems.

Timing

It would be sensible for users of the School of Medicine network to immediately recognize and implement the new password requirements outlined below. However, system enforcement of password rules and periodic audits of passwords will be implemented in conjunction with the HIPAA privacy rules on April 14, 2003.

Password Requirements Summary

1. Password length must be a minimum of seven (7) characters.
2. Passwords must be changed every 180 days.
3. Passwords must contain characters from at least three (3) of the following four (4) classes:
   

• Upper case letters (A, B, C, ….Z)
• Lower case letters (a, b, c, ….z)
• Numbers (0,1, 2, …9)
• Non-alphanumeric ("special characters") such as punctuation symbols

4. Passwords must be sufficiently complex so as not to be a common usage word or a word found in the English dictionary.
5. Passwords may not contain your user name or any part of your full name.
6. Password history is kept to prevent the reuse of the last eight (8) passwords.
7. Five (5) invalid attempts to enter a userid and password will result in an account lockout. Contact the CNS Helpdesk (see info below) for assistance in unlocking an account.
8. Passwords will be audited periodically for compliance by using automated password-cracker software.
9. Minimum password age: 8 days (in other words, passwords may not be changed until after 8 days since it was last changed).

To reach our helpdesk, call (415) 206-5126 or send us an e-mail.

Revised 1-17-2009