Passwords - Use and Best Practice

A string of characters input by a system user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use. Passwords are central to all computer systems - even sophisticated systems employing fingerprints, voice recognition, or retinal scans.

Even having chosen an 'impossible to guess' password, (See Passwords - Choosing) your management of the password will determine its effectiveness in safeguarding access to the system using your user ID and password. The following best practice guidelines should be observed.

• Passwords must never (ever) be written down. The moment they are committed to a paper or a document, discovery of that paper will invalidate other security measures. A potential hacker may also witness the removal of the paper as you innocently review your password list, and this will then offer a simple target; obtain the paper and not only will 'this' password be available, but possibly those to other systems and credit card PIN numbers and perhaps your bank account etc........
• Passwords of key role holders - such as System and Network administrators - should be copied and held under dual control in a fire-resistant, secure location, to enable access to the system by an authorised person in the unavoidable absence of the password holder.
• Passwords must be changed at regular intervals, and should be chosen privately by the individual users; and although often issued initially by the IT people, the password must be changed immediately.
• Password changes must be forced if necessary by implementing an expiry period after which a user's password will not be accepted and the next attempt to log on by that user will result in a security flash to the system console.
• No sensible system would allow a 'user' to remain on-line for up to two weeks trying all possible combinations, and a lockout must be activated after a predetermined number of failed attempts or a fixed amount of time.