IDHUB | Password Policies Best Practices

To maintain a strong security posture, it is suggested that all user passwords follow the most appropriate restrictive policy based on their use and access of the system.

Best Practices for Passwords

To maintain a strong security posture, it is suggested for all passwords to follow the most appropriate restrictive policy.

Students

It is suggested to utilize less restrictive password policies for younger students and students with special needs. Our recommendation for student passwords:

• K-3 →
  • QR Authentication: Generate a QR Code that is based on the user's ID and password. QR Authentication eliminates the need for a user to enter their username and password.
  • Pictograph: The student must select and remember a selection of icons to login. For younger children, this is much easier to use than a memorized secret (i.e. a password).
• 4-8 → Passwords, using a combination of letters and numbers
• 9-12 → Passwords, using a combination of uppercase letters, lowercase letters, numbers, and special characters.

Staff

• Passwords, using a combination of uppercase letters, lowercase letters, numbers, and special characters.
• Use MFA or passwordless authentication policy.
• Note that QR and Pictograph authentication methods are not recommended for older students or staff.

Other Options

• Password Expiration: If desirable, you may configure a setting that will force users to update their password after a period of time. This is not recommended by NIST (See: SP 800-63B §5.1.1.2), but this may be required for compliance in legacy environments.

Additional Resources: Microsoft Default Password Policy

Initial Password Policies in Identity Hub

The above concerns passwords created by end users. In Identity Hub, you may configure the initial password generated by the system when creating accounts for the first time. It is recommended that you allow the system to generate random passwords; however, you may opt to construct passwords based on attributes.

Note that constructing passwords based on attributes can make it easy for malicious actors, including other staff members and students, to guess the value for another user and thus access their account before they can. Using a randomly generated value avoids this problem.

Regardless of which initial password policy you select or create, you will need to provide your users with a process for accessing their account the first time. Here are our recommendations, which harmonize with the user selected password policies above:

Students

• K-3 →
  • QR Authentication: Generate a random password.
  • Pictograph:
    • If passwords will be needed for target systems, the student will still need to remember a password for those systems. If so, generate random password and allow initial access via a Claim Policy.
    • If passwords will not be synchronized to target systems, an attribute-based password may be acceptable as it will only be used the first time when setting up the pictograph options.
• 4-12 → Generate a random password and allow initial access via a Claim Policy

Staff

• Generate a random password and allow initial access via a Claim Policy