Account Standards ULIT-SXXX

Body

Purpose 

The purpose of this document is to provide a set of minimum-security standards governing the use of passwords for the University of Louisiana at Lafayette (UL Lafayette) Information Technology (IT) systems. Authentication of users and applications, accessing or processing data is a fundamental requirement of information security to ensure confidentiality and integrity of data. This document offers minimum standards for password and authentication for users and systems covering the UL Lafayette IT resources. 

Scope 

This document is intended to provide guidance for systems and applications that utilize a username and password for authentication and authorization. For many systems, these settings are customizable and must be configured before a system goes into production or if it stores institutional information. Systems that utilize a ULID for authentication can assume these requirements are met as part of the service provided. 

Definitions

A. Account Types 

  1. User Accounts: Accounts under the control of a specific individual and are not accessible to others. These are user-interactive accounts. 
  2. Shared Accounts: An account that can be accessed by multiple individuals to allow them to appear as a single business entity or accomplish a single shared function. These are user-interactive accounts. 
  3. Privileged Accounts: A qualifier used to describe User Accounts and Shared Accounts that have elevated access to configure or significantly change the behavior of a computing system, device, application, or other aspect of systems. These accounts should be considered highly sensitive. These are user-interactive accounts. 
  4. Service Accounts: Accounts that are intended for automated processes such as running batch jobs or applications or establishing connections between web, application, and database servers, or external applications or services. To be considered a service account, the account must not be primarily used for general login to systems by users.

B. Hardware token: A security token is a peripheral device used to gain access to a computer, network, or service. The token is used in addition to or in place of a password. 

C. Multi-factor authentication (MFA): Using two or more factors to validate the identity of a user. 

D. One Time Password (OTP): A password that is valid for a single log in session or transaction. 

E. Passphrase: A sequence of words that is used to confirm a person’s identity to allow access to a computer, network, or service. Similar to a password but generally longer for added security.  

F. Password: A string of characters that is used to confirm a person’s identity to allow access to a computer, network, or service.  

G. ULID: A unique identifier that is assigned to all faculty, staff, and students. The ULID functions as a person’s identity for all campus systems.  

Standards

Individuals must have a unique identifier and password for each University-associated account. Do not use the same password for multiple University accounts. 

All UL Lafayette-owned electronic devices that access restricted/confidential University data must have password protection enabled. 

Responsibility of Users regarding Passwords: 

  1. Users are responsible for keeping passwords and all other types of authentication methods secure and confidential, including not sharing or storing passwords in an insecure manner. Passwords should not be written down and/or left in an easily accessible location. 

  1. Passwords are confidential university information and should never be stored electronically without strong encryption. 

  1. All passwords must be changed at first issuance or use. 

  1. Passwords must not be shared for any individual accounts, including with IT support professionals. If anyone asks a user for their password, they are obligated to report this to IT Security as a security incident. 

  1. For any shared account passwords, whenever any person with knowledge of the password changes to a role where they no longer require knowledge of the password (i.e., leaves the university or changes positions), the password must be changed. 

  1. ULID passwords systems must be unique. Users should never use their ULID password for any third-party systems, even if used for UL IT business purposes. Users should never use the same password for privileged and non-privileged accounts. 

  1. Users must not store passwords with applications or use the “remember password” functions built into web browsers. Using a third-party password manager is highly encouraged to create strong passwords and store them securely. (Contact the UL IT ServiceDesk for a list of currently recommended password managers.) 

  1. Always log out of applications or lock computers when leaving a computer to prevent unauthorized use. 

  1. Users must not attempt to circumvent UL IT established authentication processes. 

  1. Users must follow UL IT standards for authentication and password specifications. 

Multi-Factor Authentication (MFA)

The University has enacted a common method of protection against unauthorized access by using multi-factor authentication (MFA). MFA is a security process whereby users must provide at least two different authentication factors to verify their identities to access their accounts. This process ensures better protection of both a user’s personal information, credentials, and other assets, while also improving the security around the resources the user can access. This second factor option can be an office phone, mobile phone, hardware token or a supported authenticator app. Multiple authentication methods can be added to a single account. 

  1. All individuals are required to engage in one additional step beyond the normal login process to access campus resources and the campus network. Individuals are required to register a second approved device. 

  1. MFA is required on all new accounts created. Previously set up accounts will be migrated to MFA over the course of FY23 and FY24. 

  1. MFA is required for all externally-exposed enterprise or third-party applications, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard. 

  1. MFA is required for remote network access. 

  1. MFA is required for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. 

  1. Responsibilities: 

  • It is the user’s responsibility to promptly report compromised credentials to the Service Desk. 

  • It is the user’s responsibility to promptly report a lost or stolen MFA device to the Service Desk. 

Using MFA as a standard secondary factor authentication: 

  1. When authenticating using MFA all users must use the generated OTPs (One Time Password) from their approved hardware token (fob), smartphone authentication app, mobile text, or received phone call code as a second factor security login, in addition to their campus credentials (eg. ULID and password).  

  1. Only approved and registered hardware tokens (fob) or smartphones registered with the approved MFA app may be used for OTP generation.  

  1. If using a smartphone app, users must notify the UL IT Service Desk when they change their smartphone device, even if they keep the same phone number. UL IT Service Desk will assist users with the process of registering their new smartphone device.  

  1. Lost, stolen, or damaged university owned devices must be reported immediately to the UL IT Service Desk (ithelp@louisiana.edu) 

  1. Devices must be properly secured, not shared. 

  1. Users are expected not to leave their OTP devices unattended in a public place.  

  1. Users should not mark their hardware fobs or smartphones with any identifying information such as name, ULID, password, or any reference to the UL IT systems.  

Password Management

Recommendations for password management can be found in Section 6.1.2 of the Comprehensive Information Security Program (link below). The following is an excerpt from the document regarding password recommendations: 

Recommendations for implementation and management of passwords or passphrases are: 

  • Password lifetime should be restricted. 

  • Users should create passwords that are not dictionary words for names. 

  • Users should create passwords using a mix of alphabetic, numeric, and special characters. 

  • Users should create longer passwords, which tend to be more secure. 

  • Many operating systems can be configured to lock a user ID after a set number of failed login attempts. This helps to prevent guessing of passwords. 

Creating a good passphrase is one of the most important things that can be done to preserve the privacy of computer data and email messages. A passphrase should be: 

  • Known only to the creator 

  • Long enough to be secure 

  • Hard to guess, even by someone who knows the user well 

  • Easy to remember and easy to type accurately. 

Roles and Responsibilities Regarding Enforcement

Each University department/unit is responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this standard. 

The Office of the Chief Information Officer is responsible for enforcing this standard. 

Non-Compliance and Exceptions 

Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation. 

Any device that does not meet the minimum-security requirements outlined in this standard may be removed from the UL IT network, disabled, etc. as appropriate until the device can comply with this standard. 

It is recognized that software applications offer many varied capabilities with respect to authentication, authorization, role-based access control, password complexity, account management, and auditing of these components. Many examples of software exist that will not be able to conform to some aspect of the prescribed standards. 

Despite these deficiencies, such software may be necessary for performing critical functions for the University. Reasonable efforts should be made to improve the security posture of such software by enhancing system configurations over time, engaging with vendors, and developing auditing capabilities when possible and feasible. It is encouraged that administrators contact UL Lafayette IT Security Office (ITSO) for evaluation of systems, applications, or accounts lacking the technical capability to meet the requirements below; the ITSO will offer guidance for selecting the best and most secure configuration within the limitations of the given system. 

Exceptions to this standard may be submitted in writing to the UL Lafayette IT Security Officer who will assess the risk and make a recommendation to the UL Lafayette Chief Information Officer. Written approval must be attained from UL IT prior to utilizing any exceptions. Exceptions must be reviewed for reauthorization on no less than an annual basis. 

Applicable UL Lafayette IT Policies

Comprehensive Information Security Program: 

http://helpdesk.louisiana.edu/sites/helpdesk/files/UL%20Lafayette%20Comprehensive%20Information%20Security%20Program%20-%202014.pdf 

Related UL Lafayette IT Policies

<LINK TO OTHER UL RELATED POLICIES> 

Responsible Office

Office of Information Technology

Approval Authority

Gene Fields, Chief Information Officer  

STANDARDS MANAGER:  

CONTACT:  

EFFECTIVE DATE: 04/02/2025

NEXT SCHEDULED REVIEW: May 2025

REVISION HISTORY: 

Date 

Change Description 

11/01/2022 

Matthew E Delcambre (Draft Submitted) 

 

Details

Details

Article ID: 20091
Created
Wed 4/2/25 2:36 PM
Modified
Tue 5/27/25 2:56 PM