Password Policy

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of YOUR COMPANY’s entire corporate network. As such, all YOUR COMPANY employees (including contractors and vendors with access to YOUR COMPANY systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

The purpose of this policy is to establish a standard for creating strong passwords, protecting those passwords, and change frequency.

This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any YOUR COMPANY facility, has access to the YOUR COMPANY network, or stores any non-public YOUR COMPANY information.

  1. Change all system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) at least quarterly.
  2. Make all production system-level passwords part of the YOUR COMPANY administered global password management database.
  3. Change all user-level passwords (e.g., email, Web, desktop computer, etc.) at least every six months. The recommended change interval is every four months.
  4. User accounts that have system-level privileges granted through group memberships or programs such as «sudo» must have a unique password from all other accounts held by that user.
  5. Do not insert passwords into email messages or other forms of electronic communication.
  6. Where using SNMP, define community strings as something other than the standard defaults of «public», «private», and «system» and make them different from the passwords used to log in interactively. Use a keyed hash where available (e.g., SNMPv2).
  7. All user-level and system-level passwords must conform to the guidelines below.

General Password Construction Guidelines YOUR COMPANY uses passwords for various purposes. Some of the more common uses include: user-level accounts, Web accounts, email accounts, screen saver protection, voicemail passwords, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords that are only used once), everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

  1. They contain less than eight characters.
  2. They are a word found in a dictionary (English or foreign).
  3. They are a common usage word.
  4. Names of family, pets, friends, co-workers, fantasy characters, etc.
  5. Computer terms and names, commands, sites, companies, hardware, software.
  6. The words «YOUR COMPANY», and geographical indicators such as «sanjose», «sanfran» or any derivation.
  7. Birthdays and other personal information such as addresses and phone numbers.
  8. Word or number patterns such as aaabbb, qwerty, zyxwvuts, 123321, etc.
  9. Any of the above spelled backwards.
  10. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
  1. Contain both upper and lower case characters (e.g., a-z, A-Z).
  2. Include digits and punctuation characters as well as letters, e.g., 0-9, !@#$%^&*()_+|~-=\`{}[ [ ] ]:«;'<>?,./).
  3. Are at least eight alphanumeric characters long.
  4. Are not a word in any language, slang, dialect, jargon, etc.
  5. Are not based on personal information, names of family, etc.
  6. Are never written down or stored on-line.

Create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: «This May Be One Way To Remember» and the password could be: «TmB1w2R!» or «Tmb1W>r~» or some variation.

NOTE: Do not use either of the preceding examples as passwords!

  1. Do not use the same password for YOUR COMPANY accounts as for other non-YOUR COMPANY access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, do not use the same password for various YOUR COMPANY access needs. For example, select one password for engineering systems and a separate password for IT systems. Also, select a separate password for an NT account and a UNIX account.
  2. Do not share YOUR COMPANY passwords with anyone, not even your secretary or departmental administrative assistant. All passwords are sensitive, confidential YOUR COMPANY information.
  3. Here is a list of «don’ts».
  4. Don’t reveal a password to anyone over the phone.
  5. Don’t reveal a password in an email message.
  6. Don’t reveal a password to the boss.
  7. Don’t talk about a password in front of others.
  8. Don’t hint at the format of a password (e.g., «my family name»).
  9. Don’t reveal a password on questionnaires or security forms.
  10. Don’t share a password with family members.
  11. Don’t reveal a password to a co-worker when you go on vacation.
  12. Don’t write down a password and store it anywhere in your office.
  13. Don’t store passwords in a file on any computer, including a handheld computer, without encryption.
  14. Don’t use the «Remember Password» feature of an application such as Eudora, Outlook, or Netscape Messenger.

If someone demands a password, refer them to this document or have them call the Information Security Department.

If you suspect an account or password has been compromised, report the incident to YOUR COMPANY Information Systems department and change all passwords.

YOUR COMPANY or its delegates may perform password cracking or guessing on a periodic or random basis. If a password is guessed or cracked during one of these scans, the user is required to change it.

Application developers must ensure that their programs contain the following security precautions:

  1. Applications should support authentication of individual users, not groups.
  2. Applications should not store passwords in clear text or in any easily reversible form.
  3. Applications should provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
  4. Applications should support TACACS+, RADIUS, and/or X.509 with LDAP security retrieval wherever possible.

Control remote access to YOUR COMPANY networks using either a one-time password authentication or a public/private key system with a strong passphrase.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure.Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, which is known only to the user. Without the passphrase to «unlock» the private key, the user cannot gain access.

A passphrase typically consists of multiple words, making it more secure against «dictionary attacks». A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. Here is an example of a good passphrase: «The*?#>*@TrafficOnThe101Was*&#!#This.Morning»

All of the guidelines for creating strong passwords also apply to passphrases.

Any employee found violating this policy may be subject to disciplinary action, up to and including termination of employment.

Только авторизованные участники могут оставлять комментарии.