ABC of Password Creation and Management
by CIRT Team
Nowadays password is the most popular authentication system for every online operations. Password has become a must for secured access in most websites. A password policy is a set of rules that aims to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. A password policy is a part of the official regulations of an organization and might be employed as a section of the security awareness training.
A password policy may have two parts. They are described below:
1. Password Creation:
• Agencies should implement a password policy enforcing either:
o a minimum password length of 16 characters with no complexity requirement or
o a minimum password length of ten characters, consisting of at least three of the following character sets:
– lowercase characters (a-z)
– uppercase characters (A-Z)
– digits (0-9)
– punctuation and special characters
• Passwords should be reasonably complex and difficult for unauthorized people to guess.
• Password should be unique, with meaning only to those who chooses it. Dictionary words, common phrases and even names should be avoided. Pick a phrase, take its initials and replace some of those letters with numbers and other characters and mix up the capitalization. For example, the phrase “This may be one way to remember your password sentence” can become “TmB0WTrYp$!”
• It should not contain any word spelled completely.
• Users are not allowed to use common words and are never based on personal information, (i.e. user name, social security number, children names, pets’ names, hobbies, anniversary dates, etc.);
• Agencies must not use a numerical password (or personal identification number) as the sole method of authenticating a system user to access a system.
• Employees may not use a password for their company accounts that they are already using for a personal account.
• It is must to have different passwords for all these three levels; regular users, Root and Administrators.
• User accounts will be disabled temporarily after 3 failed login attempts.
• Beside a strong password two-factor authentication system should be enabled.
2. Passwords Management:
• All passwords must be changed regularly, with the frequency varying based on the sensitivity of the account in question. This requirement will be enforced using software when possible.
• Agencies should:
o ensure that passwords are changed at least every 90 days
o prevent system users from changing their password more than once a day
o check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements
o force the system user to change an expired password on initial logon or if the password is reset
• If the security of a password is in doubt– for example, if it appears that an unauthorized person has logged in to the account — the password must be changed immediately.
• Default passwords — such as those created for new employees when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.
• Users may never share their passwords with anyone else in the company, including co-workers, managers, administrative assistants, IT staff members, etc. Everyone who needs access to a system will be given their own unique password.
• Employees may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
• Employees should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All employees will receive training on how to recognize these attacks.
• Users must refrain from writing passwords down and keeping them at their workstations. See above for advice on creating memorable but secure passwords.
A password may follow the traditional guidelines yet still turn out to be a weak password. Users who can’t remember their strong passwords and end up writing them down or constantly having to reset their passwords undermine the benefits of a strong password policy. Passwords are one piece of the security puzzle in the enterprise. Keeping user accounts secure takes a combination of a thorough process for strong password creation and an easy to use system for users to follow to keep those passwords safe.