User Credentials (S-16)

Standard: S-16
Responsible Executive: Vice President for Information Technology and System Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: July 15, 2019
Date Last Revised: May 16, 2023


Individuals and Entities Affected by this Standard
Statement of Standard
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates


Clarification of Standard




ITaP Security and Policy



University students, faculty, staff and all other individuals or entities using IT Resources.


Purdue University uses access controls and other security measures to protect the confidentiality, integrity and availability of IT Resources and Information Assets. As part of these measures, Purdue University will assign, for identification and authentication purposes, a Purdue University identifier (PUID) number and User Credentials to each individual that has a business, research or educational need to access IT Resources. All users of IT Resources are responsible for taking appropriate steps, as outlined herein, to select and secure their User Credentials.


Passwords may be used only by the authorized user. Passwords and accounts may not be shared with anyone, including trusted friends or family members. Account owners will be held responsible for any actions performed using their accounts. Purdue University IT staff will never ask users to disclose their passwords for any reason.

Passwords for IT Resources must comply with the following standards:

  • Passwords must contain at least 1 letter.
  • Passwords must contain at least 1 number or punctuation mark.
  • Passwords must be between 8 and 16 characters long.
  • Passwords must contain more than 4 unique characters.
  • Passwords must not contain spaces.
  • Passwords must not contain easily guessed words (e.g., Purdue, itap or boiler).
  • Passwords must not contain your name or parts of your name (e.g., Chris or the letters "is" or "si" in Chris).
  • New passwords must be different from the previous password (re-use of the same password will not be allowed for one year).

Passwords should never be written down or stored electronically in plain text. In addition, passwords must not be inserted into email messages or other forms of electronic communication without the use of NIST (National Institute of Standards and Technology) approved encryption (see Related Documents, Forms and Tools section for link to NIST Approved Security Functions publication).

The use of group accounts for administrative purposes and shared passwords for those accounts should be minimized where technically feasible. In situations where group accounts for administrative purposes and shared passwords for those accounts is required (e.g., root or administrator accounts), the passwords used must follow the standards stated above.

Password Expiration

All passwords for User Credentials with access to IT Resources must be changed at least every 365 days.

University academic or business departments may also implement more stringent requirements, such as a 90-day password expiration, if there are special departmental circumstances that require a shorter password expiration cycle.

Passwords for group accounts must be changed every 90 days and immediately upon any personnel change within the group.

Multi-Factor Authentication PIN Requirements

A PIN used for IT Resources must be at least four characters long and should be created with the following best practices in mind:

  • A PIN should avoid easily guessed sequences such as 1234 or abcd.
  • If the PIN is numeric, it should not contain information identifying you, such as a Social Security Number (SSN), PUID number or other information publicly obtainable about you.
  • A PIN that contains both characters and numbers is alphanumeric.
    • If alphanumeric, a PIN should not contain easily guessed words.
    • If alphanumeric, a PIN should not contain your name or parts of your name, or information publicly obtainable about you (e.g., address, phone number, office number).
  • A changed PIN should be substantially different from the previous PIN.
  • A PIN should not be the same as any other PIN for University resources.
  • A PIN should be memorized.
  • In addition, MFA devices of all kinds (including tokens or devices using the MFA app) should be safeguarded at all times. If your MFA device has been lost or stolen, report it to immediately.

PIN Expiration

There is currently no requirement to change the PIN on an MFA device. However, the longer a PIN remains unchanged, the greater the risk of certain types of attacks. If you suspect compromise of a PIN, change the PIN immediately.

Compliance with User Credential Requirements

Unauthorized use of computer accounts is a violation of University policy and it may also be a violation of Indiana law.

If you suspect that one of your Purdue University User Credentials has been compromised (exposed to or in use by another party):

  1. Change your password and/or PIN immediately and
  2. Report the compromise by completing the online Security Incident Report Form.

Users of IT Resources must comply with this standard, expiry periods issued by the University in support of this standard and related standards, including the Authentication, Authorization and Access Controls (S-13) standard.

Additionally, users are responsible for safe handling and storage of all University passwords and MFA devices, such as tokens, ID cards and smartcards. The use of a password management solution that enforces approved encryption is considered an acceptable secure storage mechanism for passwords and PINs (see the Related Documents, Forms and Tools section for the NIST Approved Security Function publication).


Centralized and Departmental IT Units and IT Resource Owners (and designees)

  • Implement and support compliance with this standard and any related policies, standards and best practices for IT Resources within their areas of responsibility.
  • Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure IT Resources.
  • Collaborate with IAMO to utilize centralized services.

IT Security and Policy Identity Access Management Office (IAMO)

  • Provide centralized services, consulting and guidance in implementing the requirements of this standard.
  • Implement, maintain and monitor availability and capacity of centralized identity services.

University students, faculty, staff and all other individuals or entities granted use of IT Resources

  • Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) they access.


All defined terms are capitalized throughout the document. Additional defined terms may be found in the policy on Information Security and Privacy (VII.B.8) and in the central Policy Glossary.

IT Resource

See definition in the policy on Information Security and Privacy (VII.B.8)

Multi-factor Authentication
Multi-Factor Authentication (MFA), also referred to as two-step verification, or two-factor authentication (TFA, 2FA), is a security mechanism requiring two types of credentials for authentication designed to provide an additional layer of validation, minimizing security breaches. Typically, one is something you have, such as a physical token or software token on a mobile device, and the other is something you know, such as a PIN. The combination of the token and the PIN authenticates users to the system.  

A personal identification number used as a security code for verifying your identity. 

User Credentials
A computer or software user’s authentication information typically a password, token or certificate in combination with a username.


This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.

Authentication, Authorization and Access Controls (S-13)

NIST Approved Security Function for FIPS PUB 140-2 – Security Requirements for Cryptographic Modules


May 16, 2023: Removed references to BoilerKey.

March 13, 2020: Password requirements in Statement of Standard section updated.

July 15, 2019: This standard supersedes the User Credentials Standards dated October 13, 2008 (with revisions dated July 9, 2018) issued from the Identity and Access Management Office (IAMO).


There are no appendices to this standard.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2020 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by University Policy Office

Trouble with this page? Disability-related accessibility issue? Please contact University Policy Office at