APPENDIX D
Sample Information Assurance Policy for Passwords
This is a sample policy. This password policy is based on one from NASA (www.nccs.nasa.gov/policies/passwd.html).
Password Policy
To remain in compliance with our information assurance policies, passwords on all computing systems must conform to the following standard:
• A password is set to expire every 60 days. You are required, therefore, to change your password at least once every 60 days. (The 60-day period begins each time you change a password.)
• A password must be at least 12 characters in length.
• A password must contain the following:
• Lowercase characters (a, b, c, and so on)
• Uppercase characters (A, B, C, and so on)
• Numerical characters (1, 2, 3, and so on)
• Special characters (!, @, #, and so on)
If the password has only one nonalphabetic character, that character must not be the first or last character in the password string.
• A new password cannot be a password that you previously used during the past 24 password changes. (Our computing systems will reject a password previously used during the past 24 password changes.)
• A new password must differ from the old password by at least three characters.
• A new password cannot contain within it a person’s name or any word or abbreviation found in a dictionary.
• A password can be changed only once during a 24-hour period.
When you change your password, the new password will automatically be run through a password “cracker” to test the validity of the new password. If the “cracker” determines that your attempted new password is not acceptable, then it will reject this password, and you will need to find a more appropriate password.
We provide password locking services if users want to have their user IDs locked for an extended period of time. Users who want to avail themselves of this service should inform the User Services Group by telephone at (555) 867-5309 of any extended absences when they will not be using their user IDs. This precaution will help ensure the security of your user ID during your absence.
Password Expiration
A password will expire after 60 days. You will automatically be warned by electronic mail (e-mail) 14 and 7 days prior to the expiration of your password. If you fail to change your password before it expires, however, your user ID will automatically be disabled. Once your user ID has been disabled, any attempt to change your password will not succeed.
Any user ID that has been inactive for more than 30 days is disabled. New user IDs that remain unused after 30 days are also disabled. If you enter the wrong password five times in a row when trying to log in, your user ID will be disabled. If your password has expired, if you have forgotten your current password, or if your user ID has been disabled for one of the reasons outlined previously, you will need to contact the User Services Group by telephone at (555) 867-5309 to have a new temporary password issued for your user ID. (It is necessary to contact the User Services Group by telephone because our security policy does not permit the transmission of sensitive information, such as passwords, by fax, e-mail, or voice mail.)
If you want to know when your current password is going to expire, you may contact the User Services Group by telephone at (555) 867-5309.
Choosing an Effective Password
Because of the presence of resourceful hackers, you must be careful in choosing your password. The following are recommendations that should make it much more difficult for a hacker to successfully break in to your user ID.
• Choose a password 12 characters in length. Most operating systems set a maximum of 8 characters for the length of the password. We require a 12-character password because longer passwords are much harder to crack than shorter ones. Any passwords fewer than 12 characters long will be rejected.
• Choose a password that is not a word or abbreviation in any dictionary, including foreign language dictionaries.
• Choose a password with one or more special (in other words, nonalphabetic, nonnumeric) characters. If your password has only one nonalphabetic character, that character must not be the first or last character in the password string.
• Choose a password with one or more numeric characters.
• Choose a password with a mixture of uppercase and lowercase characters.
• Avoid simple strategies such as prepending or appending a digit to a word or name. These are some of the easiest passwords to crack.
• Avoid obvious keyboard patterns (such as QWERTY) or numbering schemes (such as 123).
• Avoid passwords that are common to your work such as star identifiers, computer names, and the like.
• Avoid names, especially names of family members, pets, or fictional characters from movies, books, or plays.
• Avoid using personal information (such as. your Social Security number, license plate number, telephone number, and so on) that may be easy to locate.
• Finally, choose a password that you can easily remember. The use of a passphrase may be helpful. (Select a phrase known only by you and use the first or last letter of each word in the phrase as your password.) Be aware that some passphrases may generate a sequence of characters that will match a word or abbreviation in the dictionary. You may have to try several different passphrases to find one that the password “cracker” will accept.
Other Common Precautions to Protect a Password
Here are some other tips:
• Use a different password wherever possible on the different computer systems to which you have access.
• Never give your password to a friend, a coworker, anyone. (This is a violation of our security policy as outlined in the organization’s Rules of Behavior. This is also a breach of our information assurance policy and is punishable by law.)
• Do not write down your password. (If, while choosing a new password, you must write the password down, consign it to memory as soon as possible and destroy the materials upon which the password is written.)
• If some of your code or other procedures must contain a password, be careful that this code is itself protected against being read.
• Guard against exposing your password!