Skip to main content

One Step Ahead: Changes in Password Policies Affecting Developers and System Administrators

One Step Ahead logo

Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

The Information Technology Policy Committee (ITPC) is announcing some changes in password policies affecting developers and system administrators, effective September 1, 2027.

The updated policies are divided into two categories: interactive authentication and non-interactive authentication. While the interactive authentication policies remain largely unchanged, with one notable addition, the non-interactive authentication policies are entirely new. Summaries of both categories are provided below for your reference.

  1. Interactive Authentication: Devices and services that use passwords for authentication must be secured with strong passwords or passphrases. For those accessing “high-risk” data, strong authentication is mandatory. Passwords must be encrypted both in transit and at rest. Whenever possible, PennKey should be used for user authentication. If PennKey is not an option, passwords must be cryptographically hashed and salted according to industry standards.
  2. Non-Interactive Authentication: This policy pertains to secrets used for non-interactive authentication, such as API credentials, SSH private keys, client keys, or passwords. These secrets must be encrypted both in transit and at rest whenever possible. Unencrypted secrets should never be hard-coded into the application’s source code or stored in the source code repository, except when the application handles only low-risk data. All application integration points must require authentication using a strong password, client certificate, SSH public key, or Kerberos principal, or an equally robust method.

For any questions, please contact Anita Gelburd, chair of ITPC, at gelburda@upenn.edu.

Resources:

Authentication and password changes for developers and system administrators: https://isc.upenn.edu/iam/authentication-password-changes-developers-sysadmins.

PennKey password length change from 8 to 16 characters: https://isc.upenn.edu/iam/pennkey-password-length-change.

---

For additional tips, see the One Step Ahead link on the Information Security website:  https://isc.upenn.edu/security/news-alerts%23One-Step-Ahead.

Back to Top