- Unique passwords shall be created, and used by individuals for use of the system.
- As a best practice guide, passwords should be created in the following format:
• A minimum of 8 characters long.
• Not contain a dictionary word of more than 4 characters.
• Complex passwords of longer length, including upper and lowercase letters, and numbers are encouraged.
- All passwords shall be protected to the same level as that afforded to the system or information that they provide access to.
- Users shall ensure that if passwords are to be written down they shall be stored securely.
- Users shall ensure that passwords are not shared with other users.
- Users shall ensure that passwords are never revealed to any other persons. This includes system administrators, security staff and management.
- If there is any indication that a password has been compromised that password shall be changed immediately.
- Systems shall be configured to ensure that passwords meet the required criteria (length, complexity, etc.) for that particular system.
- Systems shall be configured to ensure that passwords, if stored, are held in a secure format (i.e. encrypted).
- Systems shall be configured to ensure that following the incorrect entering of a password a specified number of times, the account is locked and can only be opened/reset through a system administrator process.
- Users should ensure one password is not simply a derivative of another.