Developing an effective password policy

All employees and personnel that have access to your computer systems should adhere to the password policies defined by your organization in order to protect the confidentiality, integrity and availability of information stored in your IT systems. 

The Operations/IT Department must provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorized members of staff, and to ensure the integrity of all data and configuration controls. 

Password Protection

  • Never write passwords down 
  • Never send a password through email 
  • Never include a password in a non-encrypted stored document. 
  • Never tell anyone your password. 
  • Never reveal your password over the telephone. 
  • Never hint at the format of your password. 
  • Never reveal or hint at your password on a form on the internet. 
  • Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http:// 
  • Never us your company email and password combination for any other purpose including website logins, social media accounts and other third party websites and applications.  
  • Report any suspicion of your password being broken to your IT Department. 
  • If anyone asks for your password, refer them to your IT Department. 
  • Don’t use common acronyms as part of your password. 
  • Don’t use common words or reverse spelling of words in part of your password. 
  • Don’t use names of people or places as part of your password. 
  • Don’t use part of your login name in your password. 
  • Don’t use parts of numbers easily remembered such as phone numbers, social security numbers, or street addresses. 
  • Be careful about letting someone see you type your password. 

Password Requirements 

  • Use Multi-Factor Authentication (“MFA”) when available
  • Passwords should use three of four of the following four kind of characters: 
    • Lowercase 
    • Uppercase 
    • Numbers 
    • Special characters such as !@#$ %^&*(){} [] 
  • Don’t use dictionary words – All real words are easy to guess. Avoid using any words, words in foreign languages, swear words, slang, names, nicknames, etc.  Instead try to pick acronyms, mnemonics, random letters, etc, or insert non-alphabetic characters in the middle of the word, replace letters with numbers (‘o’ to zero, I to 1, E to 3), 
  • Password protected screen savers will be enabled and should protect the computer within 15 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and select “Lock Computer”. 
  • Administrator passwords should be protected very carefully. Accounts of administrator should have the least access to complete their function. Accounts of administrator should not be shared

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts