OIT Tech 32px

University Passphrase Policy

Ohio University Information Technology Policy & Procedure. University Policy 91.004: Passphrases & Credentials


The following behaviors should be observed to reduce the risk of compromise to your credentials.

  1. Keep your credentials, secret questions, and their answers private and known only to you.
  2. Use unique credentials (username and password combination) for Ohio university that are different from any other service or website.
  3. Your credentials are for your personal authentication to university resources, and should not be used as a means to provision services to other users.
  4. If you suspect that your credentials have been compromised, change your credentials and questions immediately and inform the information security office by e-mail to security@ohio.edu.


  • Exist to ensure that the individual gaining access to university resources through an account is the same individual to whom the access was given.
  • Not all accounts carry the same level of risk.
  • Level of complexity requirements applied to ensuring the security of the credentials will align with the risk of  a compromise of that account would present to the university or community.

Information Systems Owners

  • It is the responsibility of the owner or manager to ensure that they comply with this policy and its associated complexity requirements.
  • The recommended method is integrating with OIT authentication services and appropriately mapping individuals' accounts to the correct risk levels.
  • Prior to integrating, permission must be obtained from the university security officer and the chief information officer or their delegates.
  • If a separate user credential is issued, the service owner must instruct their users to use different credentials than are used with their OhioID.

Authentication Servers

  • University authentication services are limited to those run and maintained by the office of information technology.

It is the responsibility of the chief information officer or appointed delegate to ensure that the following are adhered to by all systems that perform authentication functions.

  1. Only those systems that are required and approved by the chief information officer or appointed delegate may store passwords in any form. Those that store these passwords must store them in a cryptographically secure format.
  2. Authentication systems must encrypt password at all times during transmission.
  3. Authentication systems must be housed in the university datacenter or another approved location.
  4. Authentication systems must be administered by OIT.
  5. Authentication systems must be hardened in accordance with NIST 800-123.
  6. Administrators accessing authentication systems must use an approved multi-factor authentication to access.


Proposed revisions of this policy should be reviewed by:

  1. University Data Stewards
  2. Information System Owners
  3. Information Technology Governance Council
  4. Information Technology Student Focus Group
  5. Classified Senate
  6. Administrative Senate
  7. Faculty Senate

Forms, References, and History

1.   Forms

2.   References

3.   History

There are no forms that are specific to this policy.

The following items are relevant to this policy:

  1. Policy 93.001, "Data Classification."
  2. NIST 800-123 is available online at http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf.
  3. The Authentication Credentials Complexity Standard is available online, linked through https://www.ohio.edu/oit/security/standards.cfm.

Draft versions of this policy that were circulated for review, their cover memos, their forms, and Reviewers' comments on them are available on the password-protected Review site, at https://www.ohio.edu/policy2/91-004/.

There have been no prior versions of this policy.