Notices
NSC-040109: Hawk ID Password Controls, Phase 2
The second phase of the Hawk ID Password Controls implementation is underway for The University of Iowa. (The first phase, completed December ‘02, was to implement the single identity (“Hawk ID”) and password for login to enterprise computer services.) This second phase involves implementing consistent controls for password complexity and management across the entire University. These steps will improve user experience, reduce the likelihood of identity theft or misuse of personal information, decrease support effort, comply with federal regulations for the protection of personal health and financial records, and satisfy state and internal audit recommendations.
The following password rules will be implemented for all Hawk IDs. The goal is to make the rules consistent for all accounts in all units.
- New passwords must contain 2 alphabetic characters and 2 numeric characters, be at least 6 characters in length, cannot contain any 4 consecutive characters of the user name, Hawk ID, or current (old) password, and cannot match any of 10 previous passwords
- Old Passwords will expire every 180 days, but may be changed more often
- Hawk IDs will lock (become temporarily unusable) for 15 minutes if 5 incorrect passwords are attempted within a 15 minute interval
New Hawk ID Self-Service Password Tools are being provided to combine the reset tools into a single web interface which includes a new account unlock tool. The new tools have improved (contextual) password change error messages, and short tool demonstration clips are available. All users will need to enroll in the new tool, as the encrypted “secrets” from the old password reset tool are not transferable.
We are implementing an e-mail notification process to owners of Hawk ID accounts for which the password is nearing expiration (anticipated to be 10 days before a password expires). This service will provide a daily e-mail message to the account owner until the password is changed, which includes the Hawk ID, home location (“Domain”), password expiration date, instructions, a link to the self-service password change tool, and contact information for help.
Plans are to launch a campus user education and awareness campaign at the beginning of the spring term (January 20). We will officially announce and implement the new Hawk ID Self-Service Password Tools shortly thereafter, on February 1. This will include an encouragement to enroll in the new tool and change passwords. On March 1, we will begin the process of implementing password aging for those Hawk IDs that do not currently have expiration enabled. This process should be completed by April 1. (That is, groups of users will get the e-mail notification to change their password on different days over the course of the month. Any user who has changed their password in the last 6 months will NOT receive the messages.)
If you have any questions, please contact the IT Security Office at 335-6332, or email jane-drews@uiowa.edu.
As a department security support person, I encourage you to review and familiarize yourself with the new Hawk ID Self-Service Password Tools prior to their “official” implementation, so you can assist others later. See http://hawkid.uiowa.edu Please contact the ITS Help Desk at 384-4357 if you have any questions about use of the tools.