Skip to main content
Policy

​​IT User Password and Authentication Policy​

Queries

For queries on this policy, contact ​​IT Support:

Purpose and scope

​​This policy ensures that the University’s Information Assets are protected and secured appropriately by establishing provisions for the creation, application, protection, and management of strong authentication methods.

​All users who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Cardiff University facility, have access to the Cardiff University network, or store any non-public Cardiff University information, is within the scope of this policy. This includes access to university-owned devices (including laptops, tablets, and smartphones) and to IT systems regardless of whether the system is accessed from a university or personally owned device.

​The use of digital certificates for authentication is not covered by this policy.​

Related policies and procedures

​​This policy forms part of the Information Security Framework and should be read in conjunction with:

Policy

Authentication requirements

  1. ​User accounts shall be required to be authenticated before any access to university information and IT systems being granted. Forms of authentication used include:
  1. ​Passwords
  2. ​Digital certificates
  1. ​Multi-Factor Authentication (MFA) will be applied to University IT systems as a second layer of authentication (to passwords and digital certificates), where additional confidentiality, integrity, and availability protection is required for the system and/or its data.
  1. ​IT Support must be contacted immediately where any authentication method is suspected or confirmed to have been revealed, identified, or compromised by another user or third party. Authentication for these user accounts will be changed or removed.
  1. ​Where access to a user account is required for business purposes by a third party, a request for assistance must be made via IT Support.
  1. ​All authentication methods are to be considered as Highly Confidential (C1) information and must be handled accordingly.

​Passwords

  1. ​Passwords will be applied to user accounts that provide access to university information and systems.
  1. ​Passwords are individually allocated and shall not be shared with or revealed to any other user or third party.
  1. ​Passwords must be unique and not shared with any other university or personally held accounts.
  1. ​Users are not permitted to:
  1. ​reuse passwords that have been previously used on their user account
  2. use commonly used passwords, e.g. password, 123456, qwerty, etc
  1. ​Passwords must be complex and:
  1. ​be a minimum of 12 characters in length
  2. ​contain a mixture of upper and lower characters
  3. ​contain at least one numerical character
  4. Accounts with elevated privileges shall also be required to include a non-alphanumeric character
  1. ​Users shall be provided with mechanisms to change their passwords. Users will be required to verify their identity before access to reset passwords is granted.
  1. ​Instructions for users on setting strong passwords and how to reset passwords must be provided and maintained by University IT.
  1. ​Passwords will need to be changed where there is a:
  1. ​concern that the password has been identified or compromised.
  2. ​business or external requirement for passwords to be periodically changed.

​Digital certificates

  1. ​Digital certificates may be used as an alternative to passwords to access IT systems and data in specific circumstances, including:
  1. ​secure login
  2. ​encrypted communications
  3. document signing.
  1. ​Certificates shall:
  1. ​have a defined validity period and require periodic renewal
  2. be issued by a trusted Certificate Authority (CA)
  3. ​be configured, managed, and maintained by University IT
  1. ​Users must:
  1. ​not share or transfer digital certificates to other users or third parties
  2. contact IT Support when certificates are no longer required to allow the certificate to be revoked

Multi-Factor Authentication (MFA)

  1. ​All new network user accounts will be enrolled and require MFA verification to be configured
  1. ​Users should setup more than one method to verify MFA requests
  1. ​MFA methods must be applied and maintained by users throughout the lifecycle of the user account
  1. ​A method of enabling temporary access to enable MFA methods to be reset must be provided by University IT. Users will be required to verify their identity before access to change MFA methods is granted
  1. ​Users must not approve MFA verification requests that they have not initiated

​Policy exemptions

  1. ​The Chief Digital and Information Officer or their nominated delegate shall have the authority to agree to exceptions to the requirements of this policy.

Roles and responsibilities

​​The Chief Digital and Information Officer is the sponsor for this policy, and is responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents.

​The Chief Digital and Information Officer or nominated deputy has responsibility for ensuring that:

  • ​the policy is applied appropriately
  • ​that technologies, documentation and support required to implement the policy are in place
  • ​exemptions to the policy are periodically reviewed for their continued applicability

​All users have a responsibility for the security of their own passwords, digital certificates, and MFA authentication methods. They are also responsible for:

  • ​reporting a potential disclosure of their own or any other users’ passwords
  • ​providing personal data for the purposes of verifying their identity.

Monitoring and review

his policy shall be reviewed every three years, or as and when required.

​Exceptions to this policy shall be reviewed annually to ensure that they remain applicable and appropriate.

​Trends in breaches of password, MFA, or digital certificates shall be monitored by the Cyber Security Operations Group within University IT.

​Breaches of this policy may be treated as a disciplinary matter, dealt with under the University’s staff disciplinary procedures or the student disciplinary procedures as appropriate.​

Document control table

Document title:​​IT User Password and Authentication Policy​
Author(s):Owen Hadall, Director of IT, University IT.
Version number:1.0
Date of next review:July 2028
Arrow upBack to top