M4, Securing User Accounts

Information Security Standard

1. Introduction

2. Account Protection Requirements

  • 2.1 All User Accounts must be secured with:
  • 2.2 Where technically possible, UBC Systems must enforce password complexity rules in accordance with the Passphrase and Password Protection standard.
  • 2.3 Where technically possible, Servers and Software Applications must be protected by Multi‑Factor Authentication (MFA).

  • 2.4 Users who receive new accounts or who require a replacement password must be forced to set or change the password upon first login. Account activation or password reset links, and temporary passwords must be transmitted to Users in a secure manner, and expire as follows:

    §Credential ChangeInitiated byLink/Password ExpirationExamples
    2.4.1Account ActivationAdministrator or automated process7 daysNew employees, sponsored guests, and prospective student accounts
    2.4.2Account ActivationUser (self-serve sign-up)3 daysNew and prospective student accounts
    2.4.3Password RecoveryUser (self-serve)24 hoursApplies to all Users
  • 2.5 Procedures must be established to verify the identity of a User prior to providing a new, replacement or temporary password for an account. Identification validation procedures must follow one of the following standard practices, listed in order of preference:
    • 2.5.1 MFA application push to the User’s Multi‑Factor Authentication Device (MFA Device) that must be approved by the User;
    • 2.5.2 Validation of the answers to three questions that were previously created by the User during account creation; or
    • 2.5.3 In-person visit by the User to present valid photo identification, preferably University or government-issued.
  • 2.6 Default vendor passwords must be changed following the installation of systems or software.

3. Authentication System Requirements

  • 3.1 Where possible, all User Accounts should be centrally controlled in the UBC Enterprise Active Directory, Enterprise LDAP, or Campus-wide Login.
  • 3.2 Authentication systems for User Accounts must be adequately protected from password cracking using at least one of the following methods:
    • 3.2.1 the account is locked for a period of time if the passphrase/password is entered incorrectly multiple times over a specified time period (for example, if an incorrect passphrase/password is entered 10 times within a 30 minute window, the account will be locked for 30 minutes); and/or
    • 3.2.2 each time an incorrect passphrase/password is entered, the system introduces a delay before providing the failure response; this delay increases as the failed login attempts continue but will reset once the User successfully logs in (for example, the delay period could begin at 100 milliseconds, and double after each subsequent failed login).
  • 3.3 Authentication systems must not store account passwords in clear text. Where possible, passwords should be stored using a strong cryptographic hash and salted; for further guidance see Salted Password Hashing – Doing it Right.
  • 3.4 Authenticated User sessions in Merchant Systems, and in all other systems where possible, must timeout as follows:
    • 3.4.1 after a maximum session length of 12 hours; and
    • 3.4.2 where reasonable, after 30 minutes of User inactivity.
  • 3.5 After User session timeout, Users must reauthenticate to continue an existing session or establish a new session.

Related Documents and Resources

User Account Management standard

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

Passphrase and Password Protection standard

Standard Last Revised: 2022-01

Page last updated on January 23, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.