Add to collection(s) Add to saved
  1. No category

DH: NHS IG - User Guide to Passwords

advertisement 
User Guide to Passwords
Your initial password
All network user accounts must have a User ID and password. The password is used to
authenticate the identity of the person using an account as the authorised user. It also
prevents misuse by unauthorised users.
The Information Technology (IT) Department will issue all new users to the network with a
temporary password. You will have to change this password when you log on to the system for
the first time. This guide is designed to help you understand your responsibilities and the
importance of password security.
Don't share your password with others
Giving someone your password allows them to use your identity on the network. You will get
blamed for any misuse if someone has logged in using your ID. It is your responsibility to
ensure you do not share your password.
Films and television programmes tend to show hackers using sophisticated electronic
equipment to find people’s passwords (see below). However, these methods are generally
used to guess file passwords. Unauthorised users such as hackers will normally find out what
your user password is by asking you. The jargon for this is known as human or social
engineering. A favourite ploy is to use an internal telephone, pose as a member of the IT
department, suggest there are network problems and ask you for your password so they can
test the system. Remember, an authorised IT or system supervisor can gain access to your
account (when authorised) without needing to know your password. If anyone phones for
your password, find out who they are and why they want, refuse to give it and contact your
Information Security officer [add contact details] and the IT department as soon as possible.
Make passwords hard to guess
Passwords based on personal information - such as account name, your first or last name,
your initials etc. - are extremely easy to guess and should never be used. Spelling a name
backwards, nicknames, pet’s names, your birthday, the name of the place you live or your
hobby are all typical forms of password that are easily guessed, so don’t use them. People
also use words such as "guest", "password", "secret". Again, don’t use them. They are
examples of bad passwords and leave your account open to unauthorised access.
Hackers use password-cracking tools that incorporate extensive word and name dictionaries
(in various languages). For that reason you should never choose dictionary words or names.
The cracking tools will also check for simple tricks like words spelled backwards or simple
substitution of certain characters (i.e. "password" becomes "pa$$w0rd").
The best passwords are those based on pass phrases and/or non-dictionary words (including
"nonsense" words), combined with obscure character substitutions. These can be extremely
difficult to either guess or crack. Passwords that use numbers and letters are referred to as
alphanumeric and must be used for the network.
An example of a good password, O1u9a6t4 is a combination of the phrase “Once upon a
time” (based on the first letter of each word) and the year I started school (helping me to
remember a series of numbers). Note that the letters and numbers are interspersed. Always
choose something that relates to use so that you can remember it. Further examples of good
and bad passwords are included at the end of this guide.
Page 1 of 3 v1.2
User Guide to Passwords
Remember that passwords are case sensitive. Check the ‘Caps Lock’ key before typing a
new password. Passwords with upper case (CAPITAL) letters are not the same as ones with
lower case letters. For example, O1U9A6T4 and o1u9a6t4. If you have originally typed the
former you will not be able to use the latter.
Password size
Using the maximum number of characters greatly increases the complexity of guessing or
cracking passwords. You must use passwords that are at least eight characters long.
Change passwords regularly
A regular password change is necessary, since it prevents misuse of your account without
your knowledge if your password was somehow accidentally (or deliberately) disclosed.
The network is set up with ‘forced’ periodic password changes. Under this system you will
have to change your password after a given amount of time. You will not be able to use a
password you have used previously. Note that you do not have to wait until you are forced to
change your password. You can change it if you think it has been compromised or as often
as you like. Contact your IT department or system administrator to find out how you can
change your network and other passwords.
The IT Department may also tell you to change your password if there has been a general
security alert.
Use different passwords for different systems and applications
If your password is compromised on one system, using different passwords on different systems
will help prevent intruders from gaining access to your accounts and data on other systems. For
example, network and system managers should use different passwords for their personal account
and their privileged account. If the personal account password is accidentally revealed, the
privileged account is still protected. Similarly, you should use different passwords for your email
account and network logons.
If you do this make sure one password is not simply a derivative of another. While using multiple
passwords increases the difficulty of managing passwords, it results in significant increases in
security.
Don't leave passwords where others can find them
Don't leave your passwords written down in or on your desk or anywhere on or near the
computer equipment. If you absolutely must write down your passwords, keep them in a
secure, locked place.
Also, don't leave your passwords where others can find them electronically. Never store them
in a text file or send them in email.
Further Information
Further information can be obtained from [Officer, telephone number, email:
Address@trust.nhs.uk]
Page 2 of 3 v1.2
User Guide to Passwords
Examples of good and bad passwords
Bad passwords
today: This is just a dictionary word that is easily discovered with hacking software. It is also
only five characters long. Passwords should be at least eight characters long.
t1d2y: Here the digits 1 and 2 have been substituted for the vowels of the dictionary word
“today”. Again, hacking software is designed to look for this type of substitution.
today1: Here there is some attempt to mix letters and numbers. However, adding a number on to
the end of a dictionary word poses little problem to hackers.
Good passwords
t1o9d6a4y or t”o(d^a$y: Here the word (today) has been used and digits or special characters
have been included between each letter. The length of the password also makes it difficult to
guess or crack electronically.
1t9o6d4ay or ”t(o^d$ay: This is even more secure than the previous example since the
passwords begins with a digit or character.
Page 3 of 3 v1.2
Related documents
Password-Based Football
Password-Based Football
password - Department of Computer Science
password - Department of Computer Science
NID Password Change Frequency
NID Password Change Frequency
windowsAuthentication
windowsAuthentication
Tutorial Sheet 06
Tutorial Sheet 06
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
Password_security_terminology_research_task_brenna
Password_security_terminology_research_task_brenna
Open_Source_InfoSec - Open Source Club at Ohio State
Open_Source_InfoSec - Open Source Club at Ohio State
Download
advertisement