IT SECURITY STANDARDS

Publish Date: 5/12/2021 
Effective Date: 6/1/2021 
Release: 1.0
Custodian: Penn Office of Information Security

1.1.1  A PennName has the following characteristics:

  • Length
    • A PennName has a minimum of two characters.
    • A PennName has a maximum of eight characters.
  • Alphabet
    • A PennName may contain the lowercase letters a through z.
    • A PennName may contain numerics 0 through 9.
    • No other characters are permitted.
  • Structure
    • The first character must be an alpha.

2.1.1.1  Where password construction constraints permit, passwords should be constructed using the following criteria in order to be designated as "Strong Passwords":

  • 20 or more characters in length (passphrases) - constructed using any character class combination
  • 16 - 19 characters in length – must contain characters from at least 2 of the 4 character classes
  • 12 - 15 characters in length - must contain characters from at least 3 of the 4 character classes
  • 8 - 11 characters in length  - must contain characters from at least 3 of the 4 character classes

where the four character classes consist of caps, lower-case letters, numbers, and symbols.

2.1.1.2  PennKey password complexity is established as follows (consistent with the preceding standard):

  • 20 or more characters in length (passphrases) - constructed using any character combination
  • 16 - 19 characters in length - must contain caps and lower-case letters
  • 12 - 15 characters in length - must contain caps, lower-case letters, and numbers
  • 8 - 11 characters in length  - must contain caps, lower-case letters, numbers, and symbols

2.2 Multi-Factor Authentication 

2.2.1  Use of at least one from each category of the following authentication factors:

  • Knowledge
    • Password that meets requirements in the Password Complexity Standard; or
    • Passphrase (protecting a key or certificate) that meets the requirements in the Password Complexity Standard; or
    • Cryptographically secure evidence that a successful password or passphrase validation was already performed during the user’s current session. (e.g. Kerberos Principal)
  • Possession

Demonstration of possession of a tangible object known to be associated with the user by either:

  • Confirmation of the successful exchange of secret codes (HOTP: HMAC-based One-Time Password or TOTP: Time-based One-Time Password) between the device and the authenticating system at the time of user authentication.
  • Continued use of a device that has already been confirmed to be in the user’s possession,  validated using secured persistent session tokens generated as evidence of possession of the device whenever it is confirmed or reconfirmed.