Standard for Account Passwords

Per ISO/IEC 27002, users should only be provided with access to the network and network services that they have been specifically authorized to use.  Where required, access to systems and applications should be controlled by a secure log-on procedure.  Password management systems should be interactive and should ensure quality passwords.

I.  Purpose

The purpose of this standard is to establish requirements for faculty, staff, students and other authorized users regarding passwords in order to protect individual and University information resources.  Adherence to this standard will help ensure that the University network and information systems are secure and available to all authorized users.

II.  Scope

The scope of this standard includes all UNC Charlotte faculty, staff, students and all authorized users who have or are responsible for an account on any system housing university information or that has access to the UNC Charlotte network.  Each user and/or system administrator on the UNC Charlotte network is required to implement the password requirements listed in this document.

III.  Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at

IV.  Standard

All University-affiliated passwords should meet the requirements described below.  For additional guidance, see the UNC Charlotte Guideline for Passwords.

All passwords used must be strong passwords.  Passwords must be constructed using the following:

  • minimum of eight (8) characters in length
  • contains at least one character from each of the following four groups:
    • Lowercase letters
    • Uppercase letters
    • Numbers
    • Special character from this list      ! * + - /  _

Passwords must expire within an appropriate interval.  Campus defaults include:

  • 180 days for Students
  • 90 days for Faculty, Staff and authorized users

Password System Requirements

  • The system must enforce the use of individual user IDs and passwords to maintain accountability.
  • The system must allow users to select and change their own passwords and include a confirmation procedure to allow for input errors.
  • The system must not display passwords on the screen when being entered.
  • The system must store and transmit passwords in a protected form.

Special Accounts

For special accounts with elevated privileges (e.g., root, super user, system administrator), the same password standards are required along with additional security measures including regular audits of these accounts.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 9/04/14
Updated  11/05/15