Tarleton Office of Innovative Technology Solutions (OITS)
Password Authentication Standard

Effective: February 11, 2020

Revised: July 16, 2025

Procedure Summary

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. User authentication is a means to control who has access to an information resource system. Controlling the access is necessary for any information resource. The confidentiality, integrity, and availability of information can be lost when access is gained by a non-authorized entity. This, in turn, may result in loss of revenue, liability, trust, which can cause embarrassment to the university. There are several ways to authenticate a user. Examples are: password, university identification number (UIN), Smartcard, fingerprint, iris scan, or voice recognition.

The purpose of the university password/authentication standard is to establish the process for the creation, distribution, safeguarding, termination, and reclamation of the university user authentication mechanisms. It also provides a set of measures that will mitigate information security risks associated with password authentication. There may be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. The intended audience for this standard includes, but is not limited to, all university employees, staff, faculty, students, guests and visitors that use information resources requiring authentication.

Please see the Tarleton Security Controls Catalog, specifically Access Control (AC)-2, Identification and Authentication (IA)-5 and IA-5(1), for additional information and requirements.

Procedures and Responsibilities

All passwords shall conform to this standard unless approved otherwise by the Tarleton Chief Information Security Officer (CISO).
Passwords must be treated as confidential information and are classified as such in accordance with Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, and Tarleton Security Controls Catalog, Identification and Authentication (IA)-5, Authenticator Management.
Passwords shall be routinely changed at 365 day intervals for systems processing/storing mission critical and/or confidential data.
Passwords embedded in programs intended for machine-to-machine interaction (e.g. backups, stored procedures) are not subject to the routine change specified above, but instead, system administrators shall have a separate documented process for each respective password, that includes a compensating control (e.g. an account audit or checkpoint) that ensures a compromised password will not go undetected.
Where feasible, owners of systems that maintain mission critical and/or confidential information shall establish a reasonable period of time for passwords to be maintained in history to prevent their reuse.
Passwords shall not be anything that can be easily associated with the account owner such as: user name, social security number, UIN, nickname, relative’s name, birth date, telephone number, etc.
Passwords shall not be dictionary words, repeatable patterns or acronyms regardless of language of origin.
There shall be a limited number of tries before a user is locked out of an account. Delay, or progressive delay, helps to prevent automated “trial-and-error” attacks on passwords.
Changes to access controls must be reported immediately when there has been a change in job duties that no longer require restricted access or upon termination of employment.
If the security of a password is in doubt, the password shall be changed immediately. If the password has been compromised, the event shall also be reported to the the Office of Innovative Technology Solutions (OITS) Service Desk at helpdesk@tarleton.edu or 254-968-9885.
Users should not circumvent password entry with auto logon, application remembering, embedded scripts, or hard-coded passwords in client software for systems that process/store mission critical and/or confidential data. Users should always enter “no” when asked to have a password “remembered.”
Computing devices shall not be left unattended in unsecured areas without the user logging off of the device or enabling a password-protected screensaver.
Forgotten passwords shall be replaced, not reissued.
Standards for setting and changing information resource passwords include the following:
- The user must verify his/her identity before the password is changed;
- The password must meet Tarleton complexity guidelines and,
- The user must change password at first log on – where applicable.
Systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system.

Definitions

Account: information resource users are typically assigned logon credentials which include, at the minimum, a unique user name and password.

Anonymous write capability: the ability of people to save (on Tarleton computers) information they create without their identity being known (to system administrators).

Anonymously originating network traffic: causing a (Tarleton) computer system to send traffic via the network where the custodian/owner is not known.

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Logon ID: a user name that is required as the first step in logging into a secure system. Generally, a logon ID must be associated with a password to be of any use.

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.