UBITName Password Policy

The University at Buffalo (UB, university) is committed to ensuring the confidentiality, integrity, and availability of its online information technology (IT) resources and information systems. Digital credentials are a fundamental component of the university's approach to information security. A UBIT digital credential is composed of a UBITName and its associated password. UBITName account holders must create strong passwords and protect password privacy to prevent and minimize compromised digital credentials.

A UBIT digital credential:

• Is classified as Category 1 - Restricted Data
• Must not be shared or disclosed
• Must be protected from unauthorized use
• For a group account, the digital credential may be shared or disclosed only with those who are authorized to access the group account

UBIT passwords must be:

• Unique to a person's UBITName account
• Different than the password used for any other account, including personal accounts not associated with the university
• Secure
  • Password guidance is available at Creating a Secure UBITName Password or Passphrase

Violators of this policy will be subject to the existing student or employee disciplinary procedures of the university. Sanctions may include loss of computing privileges. Illegal acts involving UB computing resources may also subject users to prosecution by state and federal authorities.

This policy establishes minimum standards for UBITName passwords. This policy applies individual accountability to the protection of university passwords.

UB relies on a digital credential to validate a person’s identity. This process enables authorized individuals to access online IT resources and information systems. A digital credential constitutes a first line of defense in protecting access to online IT resources and information systems.

Technical protective measures in response to violations of this policy, detection of UBIT digital credential compromise, or password exposure may include suspension, password-reset, disabling UBITNames, de-registration or removal from wired and wireless network access, and loss of access to systems or file shares with little or no notice. Reactivation or reinstatement may require coordination with the UBIT Help Center.

This policy applies to all individuals with customer accounts and system accounts in any university IT system capable of interfacing with university authentication systems.

Password

Consists of a string of letters, numbers, punctuation, spaces, and other characters. The term password and passphrase are often used interchangeably.

UBIT Digital Credential

Composed of both a UBITName and its associated password. A UBIT digital credential is classified as Category 1- Restricted Data.

• Is used to partially or fully validate (authenticate) identity in order to access online IT resources and information systems
• Provides full identity validation (authentication) for IT systems that do not require multi-factor authentication
• Used in conjunction with an additional factor, is required for full identity validation (authentication) for IT systems requiring multi-factor authentication

UBITName

University username used to log into a variety of campus services that require authentication or identify verification.

• Review compliance as specified in this policy on a periodic basis.

• Maintain a secure and complex university password in accordance with the guidance to Create a Secure UBITName and Password or Passphrase.
• Monitor activities performed with their UBITName and password.
• Do not share passwords.

• Oversee the implementation of information security and privacy policies.