Standard for Account Passwords

I. Purpose

The purpose of this standard is to establish requirements for faculty, staff, students and other authorized users regarding passwords in order to protect individual and University information resources. Adherence to this standard will help ensure that the University network and information systems are secure and available to all authorized users.

II. Scope

The scope of this standard includes all UNC Charlotte faculty, staff, students and all authorized users who have or are responsible for an account on any system housing university information or that has access to the UNC Charlotte network. Each user and/or system administrator on the UNC Charlotte network is required to implement the password requirements listed in this document.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at

IV. Standard

All University-affiliated passwords should meet the requirements described below. For additional guidance, see the UNC Charlotte Guideline for Account Passwords.

All passwords used must be strong passwords. Passwords must be constructed using the following:

  • minimum of eight (8) characters in length
  • contain at least one character from each of the following four groups:
    • Lowercase letters
    • Uppercase letters
    • Numbers
    • Special character from this list ! * + – / _

Passwords must expire within an appropriate interval. The default is 365 days for employees, students, and other authorized individuals, if multi-factor authentication is used. Without multi-factor authentication, the default is 90 days for employees and 180 days for students. Some exceptions may apply, based on the individual’s functional responsibilities.

Password System Requirements

  • The system must enforce the use of individual user IDs and passwords to maintain accountability.
  • The system must allow users to select and change their own passwords and include a confirmation procedure to allow for input errors.
  • The system must not display passwords on the screen when being entered.
  • The system must store and transmit passwords in a protected form.

Privileged Accounts

A privileged account has elevated permissions within a system that are significantly greater than those assigned to the majority of users. Privileged accounts should comply with the standard password requirements, expire every 90 days, and be audited at least annually.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 9/04/14
Updated 2/03/22