501 Password Standards 5
Phone: 407.823.2711 • Fax: 407.882.9006 • Web: infosec.ucf.edu • Email: infosec@ucf.edu
Password system: A system that uses a password or passphrase to authenticate a person's
identity or to authorize a person's access to data and which consists of a means for performing
one or more of the following password operations: generation, distribution, entry, storage,
authentication, replacement, encryption and/or decryption of pass-words.
Personal identifier: A data item associated with a specific individual which represents the
identity of that individual and may be known by other individuals.
Personal password: A password that is known by only one person and is used to authenticate
that person's identity.
Privileged Accounts: An account that allows special programs or elevated access to read and/or
change sensitive systems and/or data. “Administrator”, “Service”, and “Root” accounts fall into
this category.
Restricted data: Any confidential or personal data that are protected by law or policy and that
require the highest level of access control and security protection, both in storage and in transit.
There are two sub-classifications of restricted data
Highly Restricted Data: Examples of highly restricted data are: a) an individual’s first
name or first initial and last name in combination with any one or more of the following
data elements for that individual: social security number, driver’s license or identification
card number, passport number, military identification number, or other similar number
issued on a government document used to verify identity, or financial account numbers;
b) user name (e.g., NID) or email address, in combination with a password or security
question and answer that would permit access to an online account; c) data concerning an
individual that is considered “nonpublic personal information” within the meaning of
Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 11 Statute 1338)
(as amended) and its implementing regulations, and; d) data concerning an individual that
is considered “protected health information” within the meaning of the Health Insurance
Portability and Accountability Act of 1996 (as amended) and its implementing
regulations, and the HITECH Act. Protection of such data may also be subject to
additional operating regulations in accordance with vendor or partner agreements, such as
the Payment Card Industry Data Security Standards.
Restricted Data: Restricted data include electronic information the unauthorized access,
modification, or loss of which could adversely affect the university (e.g., cause financial
loss or loss of confidence or public standing in the community), adversely affect a partner
(e.g., a business or agency working with the university), or adversely affect the public.
SIRT: Acronym for Security Incident Response Team. The website http://www.infosec.ucf.edu
contains additional information on the role of SIRT when responding to incidents.
Strong password: A password that is difficult to guess, is not in any dictionaries, contains upper
and lower case letters, and consists of eight or more characters including numbers and specials
characters.