IA-5 Authenticator Management

Last Review: 10/2/22


WTAMU manages information system authenticators by defining initial authenticator content; establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and changing default authenticators upon information system installation.


This Control applies to all West Texas A&M network information resources. The intended audience for this Control includes all information resource owners, custodians, and users of information resources.


Management of information system authenticators shall include:

  • Passwords shall be treated as confidential information.
    • If the confidentiality of a password is in doubt the password shall be changed immediately.
    • If a password has been confirmed as compromised, the event shall be reported as a security incident.
  • Users must change default or assigned passwords where possible.
  • Passwords that must be transmitted shall be encrypted.
    • Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt provided it is a one-time transmission and the user must also change the password upon first logon.
    • Whenever possible, passwords should be stored as hashes instead of plain text passwords.
  • Forgotten passwords shall be replaced with a new password.
  • If a user requests a password change, the identity of the user must be verified before the password is changed
    • The password must be changed to a temporary password.  The user must change the temporary password at first logon.
  •  Forgotten passwords shall be replaced with a new password.
  • All passwords shall be set to expire every 2 years
  • All passwords should comply with the following complexity requirements:
    • Contains at least eight (12) characters.
    • Contains at least one of the follow:
      • Uppercase letters (A, B, C).
      • Lowercase letters (a, b, c).
      • Numerals (1, 2, 3).
  • Is not a common word or name, or a close variation on a common word or name.
  • Is not one of your twenty-four (10) previously used passwords.
  • Passwords also cannot contain:
    • Spaces, ampersands (&), angle brackets (< >) or non-English characters.
    • Significant portions of your account name or full name.
    • Words or phrases associated with the University including but not limited to: buffs, buffaloes, maroon, west, texas.