Up One Level


Passwords - Use and Best Practice

 

A string of characters input by a system user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use. Passwords are central to all computer systems - even sophisticated systems employing fingerprints, voice recognition, or retinal scans.

Even having chosen an 'impossible to guess' password, (See Passwords - Choosing) your management of the password will determine its effectiveness in safeguarding access to the system using your user ID and password. The following best practice guidelines should be observed.

  • Passwords must never (ever) be written down. The moment they are committed to a paper or a document, discovery of that paper will invalidate other security measures. A potential hacker may also witness the removal of the paper as you innocently review your password list, and this will then offer a simple target; obtain the paper and not only will 'this' password be available, but possibly those to other systems and credit card PIN numbers and perhaps your bank account etc........
  • Passwords of key role holders - such as System and Network administrators - should be copied and held under dual control in a fire-resistant, secure location, to enable access to the system by an authorised person in the unavoidable absence of the password holder.
  • Passwords must be changed at regular intervals, and should be chosen privately by the individual users; and although often issued initially by the IT people, the password must be changed immediately.
  • Password changes must be forced if necessary by implementing an expiry period after which a user's password will not be accepted and the next attempt to log on by that user will result in a security flash to the system console.
  • No sensible system would allow a 'user' to remain on-line for up to two weeks trying all possible combinations, and a lockout must be activated after a predetermined number of failed attempts or a fixed amount of time.


*** The Information Security Glossary ***
Previous PageTop of this pageNext Page



Buy Now:

 

This Glossary forms part of the RUsecure Security Policy Suite... visit RUsecure Security Policy World
Use of the guidance contained within RUsecure™ is subject to the End User Licence Agreement
This site created with EasyHTMLHelp(tm) for MS Word
 Risk Associates: Resources for Security Risk Analysis, ISO 17799 / BS7799, Security Policies and Security Audit