PASSWORD SECURITY POLICY
Table of Contents
PASSWORD SECURITY POLICY: SAMPLE 1 .........................................................................................................2
PASSWORD SECURITY POLICY: SAMPLE 2 .........................................................................................................4
PASSWORD SECURITY POLICY: SAMPLE 3 .........................................................................................................8
1
Source: www.knowledgeleader.com
PASSWORD SECURITY POLICY: SAMPLE 1
Prepared By:
Approved By:
Revision Date:
Effective Date:
The following sample outlines a policy for ensuring secure use of network passwords. This policy guides initial
password setup, complexity, sharing, storage and many other topics.
FORCED CHANGE OF INITIAL PASSWORD
Users must change all system-generated passwords upon first login with that password. This applies both to
passwords that are attached to a new user account and passwords that have been reset by an administrator. The
system will require and prompt for changes upon first login.
DIFFICULT-TO-GUESS PASSWORDS REQUIRED
Users are required to choose passwords that are difficult to guess. Password must not be easily deducible words
or characters such as the user’s first or last name, spouse’s name, name of a pet, a sequence of numerals or
letters, or any word found in a standard English dictionary.
PASSWORDS MUST NEVER BE WRITTEN DOWN
Users must not write down or otherwise record their passwords in readable form near the system to which the
password pertains. For example, a user must not write his/her network password on a note and tape it to his/her
computer.
Passwords must also not be written down and left in a place where others might discover them. If a password
must be written down, it must be secured and far away from the system to which it pertains.
In general, users must choose passwords that are challenging for others to guess but easy for them to remember,
so users do not feel compelled to write down a password in order to remember it.
PASSWORD SHARING PROHIBITION
Passwords secure an individual account on the system. Each account must be used only by the individual
formally assigned to that account. Therefore, passwords must not be exchanged or shared.
2
Source: www.knowledgeleader.com
DISPLAY AND PRINTING OF PASSWORDS
The display and printing of passwords must be masked, suppressed or otherwise obscured so that unauthorized
parties will not be able to observe or subsequently recover them.
ELECTRONIC STORAGE OF PASSWORDS IN READABLE FORM
Passwords must not be stored in plain text or in other readable forms in places where unauthorized parties might
recover them, including batch files, login scripts, computers without access control, terminal function keys or
software macros.
ENCRYPTION OF PASSWORDS
Passwords must always be encrypted when held in storage for any significant period of time or when transmitted
over networks. This will prevent them from being disclosed to wiretappers, technical staff that is reading systems
logs and other unauthorized parties.
USE OF SAME PASSWORD PROHIBITED
While the specific generation retention depends on the computer system, users on all systems are prohibited from
reusing a password when prompted to change it by the system.
System administrators and other users with similar access privileges are prohibited from using the same
password on multiple systems.
SUSPECTED DISCLOSURE FORCES PASSWORD CHANGES
Users must promptly notify the service desk if they suspect or know that their password integrity has been
compromised. The password must be changed immediately.
3
Source: www.knowledgeleader.com
PASSWORD SECURITY POLICY: SAMPLE 2
Prepared By:
Approved By:
Revision Date:
Effective Date:
The following sample outlines a set of policies and procedures governing the creation and use of user passwords
to protect Company X's computer systems.
PURPOSE
The purpose of this policy is to define the standard for creating strong passwords for all users. Password security,
password changes and other password rules help protect the Company X technology resources from harmful
acts.
SCOPE
The scope of this policy includes all users. Users are defined as anyone with authorized access to Company X
technology resources, including permanent and temporary employees or third-party personnel such as
temporaries, contractors, consultants and other parties with valid Company X access accounts.
System-level password usage is covered in the system, database and application administrator policy and falls
outside the scope of this policy.
POLICY
Passwords are an important aspect of computer security and are the front-line of protection for Company X user
accounts. A poorly chosen password may result in the compromise of the Company X global network. Users of
Company X technology resources are therefore responsible for taking appropriate steps in selecting and securing
their passwords.
DEFINITIONS
•
Technology Resources: Technology resources are all computing, networking and software applications that
can be accessed by authorized Company X users.
•
User: Users are anyone with authorized access to Company X technology resources, including permanent and
temporary employees or third-party personnel such as temporaries, contractors, consultants and other parties
with valid Company X access accounts.
4
Source: www.knowledgeleader.com
PROCEDURES
PASSWORD USE POLICY
User passwords are sensitive, confidential Company X information and must not be shared with others.
Passwords are the first line of protection against threats to network security, whether threats originate internally or
externally.
Minimum Password Length
Wherever the system or application can accommodate, passwords must be a minimum of eight characters in
length.
Minimum Password Age
Password age refers to the time during which a password must be used before a new password can be selected.
Where technically possible, the minimum password age at Company X is three days.
Password Expiration And History Management Policy
•
The Company X standard expiration period is 90 days. User accounts are not set to nonexpire.
•
Passwords must not be repeated within 12 generations.
Password Lockout Policy
•
Users are locked out of their accounts after three failed login attempts. Failed login attempts are the result of
attempting to log in using either a faulty login ID (username) or password.
•
The lockout period remains in force for 30 minutes and the counter is reset after the 30-minute lockout interval.
Temporary Passwords
First-time Company X computer users (or those requiring a password reset) are given a temporary password that
must be changed immediately after the first login.
SECURE PASSWORD GUIDELINES
The following guidelines are valid throughout Company X to protect information and enhance the security of the
network:
•
If accounts or passwords have been compromised, report the incident to technical support and change all
passwords immediately.
•
If an administrator requires that you log into a machine or service, use precaution so that passwords are not
witnessed.
•
Anyone demanding a password must be reported to technical support.
Recommended Strong Password Complexity
Company X recommends using the “strong password” complexity guidelines below. This helps ensure that all
systems, intellectual property and other sensitive data are afforded a proven level of protection. Strong passwords
have the following complex characteristics:
•
Do not contain personal information (such as the names of family members, pets, hobbies, personal interests,
etc.).
•
Contain both upper (ABC) and lower (abc) case letters of the alphabet in any combination.
5
Source: www.knowledgeleader.com
•
Have at least one integer (0-9) and one special character (!@#$%^&*()_+|~ =\`{}[]:";'<>?,./) as well as both
upper and lower case letters of the alphabet.
•
Do not use whole words in any language (including slang, dialect, jargon, etc.).
Note: It is understood that not all applications running within Company X will accept the recommended level of
complexity. Users are advised to employ the maximum amount of strong password techniques that can be
accepted by the application being used.
Adopt Secure Password Habits
Poor or weak passwords are those with the highest probability of being guessed or cracked. Security risks can be
avoided by not:
•
Using a single word found in a dictionary (English or foreign) as a password
•
Choosing easily guessed words such as:
− Names of family, pets, friends, co-workers, fantasy characters, etc.
− Computer terms and names, commands, sites, companies, hardware or software
•
Choosing words, such as “company,” “newyork,” “sanfran” or any derivation
•
Including birthdays or other personal information like addresses and phone numbers
•
Using ordered patterns like aaabbb, qwerty, zyxwvuts, 123321 or the like
•
Choosing passwords that contain any of the above spelled backward
•
Using passwords that contain standard words preceded or followed by an integer (such as secret1, 1secret,
etc.)
PROHIBITED PASSWORD SECURITY ACTIVITIES
With the adoption of the guidelines mentioned in Section 2, Secure Password Guidelines, several practices are
considered potentially dangerous to the user’s system or entire network. Prohibited activities include:
•
Revealing or sharing passwords over the phone to anyone, including people claiming to be from technical
support, help desk or another official-sounding organization
•
Sharing passwords with family members
•
Revealing passwords in an email message
•
Revealing passwords to an administrative supervisor
•
Talking about passwords in front of others
•
Inserting passwords into email messages or other forms of electronic communication
•
Creating passwords at Company X that are the same as passwords used for personal accounts
•
Hinting at the format of a password ("my family name")
•
Revealing passwords on questionnaires or security forms
•
Revealing passwords to co-workers while on vacation or a leave of absence
•
Using the Remember Password feature within applications (those available in Eudora, Outlook Express,
Internet Explorer or Netscape Messenger)
•
Writing passwords down
•
Storing passwords in a file on any computer system (including PDAs or similar devices) without using
encryption methods
ENFORCEMENT
6
Source: www.knowledgeleader.com
Network activities may be monitored and logged to ensure compliance with the rules established in this and other
ISS policies, procedures, standards and guidelines.
Any user found to have violated this policy may be subject to disciplinary action, including termination of
employment, legal action as appropriate or both. No provision of this policy will alter the at-will nature of the
employment relationship at Company X.
POLICY UPDATE AND NOTIFICATION
Company X reserves the right to revise the conditions of this policy at any time by giving notice via the information
security policy update procedure. Users are responsible for understanding or seeking clarification of any rules
outlined in this document and for familiarizing themselves with the most current version of this policy.
RELATED DOCUMENTS
•
System, Database and Application Administrator Policy
•
Exceptions and Non-Conformance Policy
•
Policy Exceptions and Non-Conformance Standard
•
Information Security Policy Update Procedure
7
Source: www.knowledgeleader.com
PASSWORD SECURITY POLICY: SAMPLE 3
Version
Date
Authors
Notes
PURPOSE
The purpose of this password policy is to ensure that all Company X systems are properly secured and that
passwords are consistently applied.
SCOPE
Company X’s system environment must be configured consistently to provide the highest levels of security,
availability and integrity. This policy provides overall guidance for the consistent application of system passwords
in Company X’s system environment.
PASSWORD SECURITY
•
Written passwords must never be publicly displayed or left in unsecured places.
•
Password controls apply to all user accounts issued to individuals for access to Company X’s computing
resources. These controls do not apply to special processing or system accounts not intended for interactive
login. These controls are intended to be minimum standards. Additional levels of controls are not prohibited.
•
Owners are responsible for ensuring that password rules are enforced by automated controls when available.
•
Users are responsible for complying with password rules when automated controls are not available.
•
Passwords must comply with the following:
− First-time passwords must be set to a unique value for each user and changed immediately after the first
use.
− Passwords must be at least seven characters in length.
− Passwords must contain at least one letter and at least one number.
− Passwords must not match one of the last four passwords used.
− Passwords must be changed, and inactive user accounts must be removed at least once every 90 days.
− Passwords must be in effect at least one day before the change.
− Account lockout occurs after six invalid login attempts within a 24-hour period.
− Account lockout duration must be set to 30 minutes or until an administrator enables the user ID.
− Password login must occur within 15 minutes of idle time.
− Access for any terminated users must be immediately revoked.
Some systems attempt multiple authentications with each user login attempt. On these systems, technical
controls may be set to a higher number to reflect the actual number of user login attempts as accurately as
possible.
8
Source: www.knowledgeleader.com
•
Passwords must never be revealed to anyone with two exceptions.
− Initial setup of user accounts
− During an incident-response investigation
•
Address the control of adding, deleting, and modifying user IDs in the data access and user authentication
standard.
•
Authenticate all access to any database containing cardholder data. This includes access by applications,
administrators and all other users.
•
Ensure that the owner reveals passwords for vendor-supplied user accounts or shared accounts to only those
users with a legitimate need as determined by the owner.
•
Reveal individual user passwords in an emergency. The user must change the password at the first
opportunity immediately after.
•
Change vendor-supplied passwords immediately upon completion of system installation. Any vendor-supplied
accounts not needed for system operation should be deleted or disabled upon completion of installation.
•
Enable accounts used by vendors for remote maintenance only during the period needed.
•
Identify systems that are designed to require the use of a shared user account in such a manner that it is
inappropriate to use an individual's account. For these systems, a special user account will be set up and it
may be required that the password be shared. Users are strictly forbidden from using these special accounts
or any vendor-supplied account for any purpose other than the system operation for which they are created.
•
Ensure that individually assigned user account passwords are not stored electronically.
•
Set passwords for all systems to (Need to Identify Current Process – Insert Name) for normal user-requested
password resets performed by the help desk.
•
Authenticate user-requested password resets. In the case of automated password reset systems, at least two
predefined questions must be answered correctly. For help desk resets, the help desk will verify based on the
requestors’ pin number. (What systems are we talking about?)
•
Develop a procedure to communicate password procedures and policies to all users who have access to
cardholder data.
•
Ensure that service account passwords required for script or program execution are not stored electronically if
a more secure option is reasonably available. If a password must be stored electronically in clear text for script
or program execution, the file containing the password must be protected from unauthorized access using file
permissions. Read permissions will be granted only to:
− Default system accounts
− Administrators
− Quality assurance
− Service accounts that execute the script or program
9
Source: www.knowledgeleader.com