To protect the IT infrastructure, it is necessary that users only have access to those services and data that they are actually authorised to use (authorisation). The decisive factor here is to save the use of access data (userID and password).

These Terms of Use define a minimum standard. Additional regulations are permissible. 

Scope of application

These Terms of Use apply to access data issued or managed by the Zentraler Informatikdienst (ZID) of the University of Vienna as part of the IT services operated by the ZID (e.g. u:account UserID). The passwords are hereinafter referred to as ZID passwords.

Choose a secure password

A ZID password must be designed in such a way that it offers sufficient protection against expected attacks. A secure ZID password in this sense 

• is at least 10 characters long,
• contains at least 1 letter (a-z, A-Z) and 1 other character (digit and/or other character),
• is not identical to a UserID,
• is significantly different from other passwords (e.g. for social networks, web shops),
• is not used more than once, 
• is not easy to guess and
• is not included in common password lists.

These features are mandatory for all ZID passwords, but are not technically enforced in all systems. Additional features can be defined and publicised by the ZID if required (e.g. in the event of current threat scenarios).

Examples of secure ZID passwords are m.E.isdaeiguPw or Dw1B&Ak4x. (Do not use example passwords.) Non-compliant and insecure ZID passwords are, for example, character strings such as 1234567890 or qwertzuiop. 

The u:phone profiles managed by the ZID are exempt from the above requirements. For these, PINs with a minimum length of 6 characters are sufficient.

Do not share passwords

Personal ZID passwords must be kept secret, even from superiors, deputies, etc. They must also not be stored for use by third parties in an emergency (e.g. in the institute's safe).

ZID passwords for non-personal accounts (e.g. for service e-mail addresses) may only be passed on to authorised persons.

A password manager may be used if it  

• uses state of the art and
• cryptographically safe technology to
• protect passwords from third parties, including the operator.

Changing or blocking passwords

If there is reason to believe that a ZID password may have become known to third parties, a new password must be chosen immediately. 

In any case, the holder must choose a new ZID password that has not been used before:

• if a device on which a ZID password has been entered is lost,
• if such a device is compromised (e.g. by a virus),
• if the ZID password is disclosed (e.g. in response to a phishing attack) or
• 2 years after the last password change.

In addition, a new ZID password must always be chosen for a non-personal account if one of the authorised users loses authorisation.

Communication between the user and the ZID

The ZID never asks users for their password. 

Users should never provide the ZID with their ZID password on their own initiative. 

In the event of imminent danger, the ZID is authorised to temporarily or permanently block userIDs, passwords, IP addresses etc. The ZID Helpdesk must be contacted to remove these blocks.

Users are requested to support the ZID by helping to resolve any security incidents if necessary.

Use multi-factor authentication

If multi-factor authentication is available for a service, the ZID recommends using it. It is necessary to activate multi-factor authentication for some IT services in order to be able to use them. 

Authorised services

ZID passwords should only be entered in registration forms of systems operated by the ZID (e.g. web-based services such as u:space, webmail) or for local access (e.g. login at the workplace PC).

Services operated by other organisational units of the University of Vienna or by external service providers are not allowed to request or process ZID passwords. Instead, the ZID's web single sign-on must be used. The exact conditions for this can be obtained from the ZID. Alternatively, a separate account administration must be set up, which must be clearly recognisable as such.

Entry into force

Existing services or processes that do not yet comply with these requirements must be updated as soon as possible. 

In cases of doubt or interpretation, the IT Security staff unit shall clarify the current policy in the first instance and the CIO in the second and final instance.