Password
Construction Guidelines
Free Use Disclaimer: This policy
was created by or for the SANS Institute for the Internet community. All or
parts of this policy can be freely used for your organization. There is no
prior approval required. If you would like to contribute a new policy or
updated version of this policy, please send email to policy-resources@sans.org.
Things to
Consider: Please
consult the Things to Consider FAQ for additional guidelines and suggestions
for personalizing the policy for your organization
Last Update Status: Updated June 2014
1.
Overview
Passwords are a critical component of information security.
Passwords serve to protect user accounts; however, a poorly constructed
password may result in the compromise of individual systems, data, or the Cisco
network. This guideline provides best practices for creating secure passwords.
2.
Purpose
The purpose of this guidelines is to provide best practices
for the created of strong passwords for University.
3.
Scope
This guideline applies to employees, contractors,
consultants, temporary and other workers at University, including all personnel
affiliated with third parties. This guideline applies to all passwords
including but not limited to user-level accounts, system-level accounts, web
accounts, e-mail accounts, screen saver protection, voicemail, and local router
logins.
4.
Statement of Guidelines
All passwords
should meet or exceed the following guidelines
Strong passwords have the following
characteristics:
· Contain at least 12 alphanumeric
characters.
· Contain both upper and lower case
letters.
· Contain at least one number (for
example, 0-9).
· Contain at least one special character
(for example,!$%^&*()_+|~-=\`{}[]:";'<>?,/).
Poor, or weak,
passwords have the following characteristics:
·
Contain
less than eight characters.
·
Can
be found in a dictionary, including foreign language, or exist in a language
slang, dialect, or jargon.
·
Contain
personal information such as birthdates, addresses, phone numbers, or names of
family members, pets, friends, and fantasy characters.
·
Contain
work-related information such as building names, system commands, sites,
companies, hardware, or software.
·
Contain
number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
·
Contain
common words spelled backward, or preceded or followed by a number (for
example, terces, secret1 or 1secret).
·
Are
some version of “Welcome123” “Password123” “Changeme123”
You should never
write down a password. Instead, try to create passwords that you can remember
easily. One way to do this is create a password based on a song title,
affirmation, or other phrase. For example, the phrase, "This May Be One
Way To Remember" could become the password TmB1w2R! or another variation.
(NOTE: Do not use either of these
examples as passwords!)
5.
Policy Compliance
5.1 Compliance
Measurement
The
Infosec team will verify compliance to this policy through various methods,
including but not limited to, periodic walk-thrus, video monitoring, business
tool reports, internal and external audits, and feedback to the policy owner.
5.2
Exceptions
Any
exception to the policy must be approved by the Infosec team in advance.
5.3
Non-Compliance
An
employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
6
Related Standards, Policies and Processes
None.
7
Definitions and Terms
None.
8
Revision History
Date of Change
|
Responsible
|
Summary of Change
|
June 2014
|
SANS Policy Team
|
Separated out from the Password
Policy and converted to new format.
|
Haya Al-Shareef.
This policy was retrieved from: https://www.sans.org/security-resources/policies/general#password-construction-guidelines
Please visit the website for ore information about this risk and other interesting risk policy.
thank you for this information
ReplyDeleteall the best...
Reham asiri