Unified UCSF Enterprise Password Standard
The Unified UCSF Enterprise Password Standard was approved by the UCSF CIO Group on January 7, 2008 and is applicable to all Electronic Information Resources within UCSF, including the UCSF Medical Center. Questions about this standard can be sent to the UCSF CIO Group.

|
Category |
Standard |
|---|---|
|
Maximum Age |
180 Days |
|
Minimum Age |
8 Days |
|
History (changes before repeats allowed) |
8 |
|
Failed logons allowed before lockout |
5 failed attempts |
|
Lockout duration |
15 minutes |
|
Minimum Password Length |
7 |
|
Maximum consecutive character repeats |
2 |
|
Required Characters |
At least 1 character from 3 of 4 character sets: a-z, A-Z, 0-9, symbols ~`!@#$%^&*()_-+={}[]|\:;”’<>,.?/ |
|
Prohibited Patterns |
Easily guessed patterns such as dictionary words, dates, phone numbers, proper names, parts of login name, minor variations on former password, etc. |
This standard should be considered a minimum. Systems that are capable of exceeding these standards should if operationally feasible.
The OAAIS Active Directory implements this standard as part of the Active Directory Password Protocol.
Exceptions
All systems must comply with the password standard if possible, however there are some cases in which an exception may be granted. These cases include:
- System is not capable of meeting the standard due to technical limitations
- Legal reasons
Systems granted an exception may be required to have additional compensating information security controls in place, such as a stricter firewall, or greater access logging.
Exception Process
All exception requests should be directed to the UCSF Customer Support Center:
- http://help.ucsf.edu/
- (415) 514-4100, Option 1: Medical Center, Option 2: Campus
UCSF Enterprise Information Security (EIS) and/or UCSF Medical Center IT will investigate the request and render a decision. Requests will be reviewed by the Information Security Committee (ISC) on a monthly basis.
Exception Requests
Exception requests must contain the following information at a minimum. This information can either be provided with the initial request or collected by EIS or the Medical Center IT.
- Name of the individual making the request
- Affiliation/Title of the individual(s) who will have an exception
- Name of the system(s) where the exception will be effective
- Types of data the account(s) will have access to
- In particular, any access to Restricted Information such as ePHI or PII
- Types of data on the system(s) where the exception(s) will be effective
- In particular, any access to Restricted Information such as ePHI or PII
- Reason for the request
- Duration of the exception requested.
- e.g. temporary (with start and end times) or permanent
Granted Exceptions
Exceptions granted will be tracked by EIS and/or the Medical Center IT and will be reviewed every 12 months to ensure exceptions are still valid and required.
