Any service which meets one or more of the following criteria must not send the authentication information (e.g., passwords) over the network in an insecure fashion:

• The server has a substantial number of active users.
• The server has a substantial number of service authentications daily.
• The system contains sensitive data or data that is critical to the business of the University.
• The system has had a serious security incident in the past.

In general, services which have more than twenty active users, more than one thousand authentications per day, have had a privileged account compromised, or which protect student records, patient data, human resources information, or other critical or sensitive data are subject to this policy and cannot allow unsecured authentications.

However, IT Security recommends that all authentications be secured even if the service is not covered by the policy requiring that the authentications be secured.

In some rare cases services which may otherwise fall under this policy but use a distinct authenticator (which is to say, they cannot share a password with a service that is covered by this policy) and are unimportant to University business may be eligible for an exemption to the policy. If you believe your service may qualify for such an exemption, please contact IT Security at security@uchicago.edu.

For authentications to be considered secure they should not be able to be reversed with modern computing technology in the amount of time for which they are valid.

If you have any questions as to whether or how this policy applies to your specific server or service is, please contact IT Security at security@uchicago.edu.