सुरक्षित पासवर्ड सम्वन्धी अभ्यासहरु ।

1. Introduction

1.1 A secure password practices is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A secure password practices is often part of an organization's official regulations and may be taught as part of security awareness training. The secure password practices may either be advisory or mandated by technical means.

2. Overview

2.1 Passwords are an important aspect of computer and information security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of organization's entire corporate network. As such, all organization’s employees (including contractors, vendors and other external entities with access to organization systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.2 All employees that have access to organizational information systems must adhere to the password practices defined below in order to protect the security of the network, protect data integrity, and protect computer systems.

3. Purpose

3.1 The purpose of these practices is designed, to protect organizational resources on the network by requiring strong password, to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. These practices may not hundred percent guarantees to secure the information system of the organization; however this practices will help to ensure only till the digital signature has not been introduced.

4. Scope

4.1 The scope of this practices includes all personnel who have or are responsible for an account (or any form of access that supports or

requires a password) on any system that resides at any organization facility, has access to the organization’s network, information system and or stores any non-public organization information. But practices are not limited to a domain account and e-mail account.

5. Password Practices

5.1 General password Practices

5.1.1 All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.

5.1.2 All production system-level passwords must be part of the Information Security administered global password management database.

5.1.3 All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every two months. The recommended change interval is every month.

5.1.4 User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.

5.1.5 Account lockout threshold - 4 failed login attempts.

5.1.6 Where SNMP (Simple Network Management Protocol) is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

5.1.7 All user-level and system-level passwords must conform to the guidelines described below.

5.1.8 Password history - Require a number of unique passwords before an old password may be reused. This number should be no less than 24.

5.1.9 Reset account lockout after - The time it takes between bad login attempts before the count of bad login attempts is cleared. The recommended value as of the date of writing this article is 20 minutes. This means if there are three bad attempts in 20 minutes, the account would be locked.

5.1.10 Account lockout duration - Some experts recommend that the administrator reset the account lockout so they are aware of possible break in attempts on the network. However this will cause a great deal

of additional help desk calls. Therefore depending on the situation, the account lockout should be between 30 minutes and 2 hours.

5.1.11 Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and select "Lock Computer".

5.1.12 Rules that apply to passwords apply to passphrases which are used for public/private key authentication.

5.1.13 Do not use the "Remember Password" feature of applications (e.g., Eudora, Out-Look, Netscape Messenger, Internet explorer and other browsers).

5.1.14 Do not access your organization information system, where your password is required, from the public network especially from the cyber café.

5.2 A. General Password Construction Guidelines

5.2.1 Passwords are used for various purposes at <Company Name>. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords. Passwords having the following characteristics are generally considered as weak password:

5.2.1.1 The password contains less than fifteen characters

5.2.1.2 The password is a word found in a dictionary (English or foreign)

5.2.1.3 The password is a common usage word such as:

5.2.1.3.1 Names of family, pets, friends, co-workers, fantasy characters, etc.

5.2.1.3.2 Computer terms and names, commands, sites, companies, hardware, software.

5.2.1.3.3 The words "<Company Name>", "sanjose", "sanfran" or any derivation.

5.2.1.3.4 Birthdays and other personal information such as addresses and phone numbers.

5.2.1.3.5 Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

5.2.1.3.6 Any of the above spelled backwards.

5.2.1.3.7 Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

5.2.2 Strong passwords have the following characteristics:

5.2.2.1 Contain both upper and lower case characters (e.g., a-z, A-Z)

5.2.2.2 Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~- =\`{}[]:";'<>?,./)

5.2.2.3 Are at least fifteen alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).

5.2.2.4 Are not words in any language, slang, dialect, jargon, etc.

5.2.2.5 Are not based on personal information, names of family, etc.

5.2.2.6 Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

5.2.2.7 Passwords are case sensitive and the user name or login ID is not case sensitive.

5.2.3 Do not use either of these examples as passwords!

5.2.4 Creation of Password using phrase

5.2.4.1 Embed a word or part of a word within another.

5.2.4.2 Misspell a word deliberately especially if you use a word for part of your password.

5.2.4.3 Interleave two or more words.

5.2.4.4 Use a phrase that is personal to you and use the first, second, or third character in each word in each phrase. The Phrase can be a question and answer phrase. There can be several variants to this approach:

5.2.4.4.1 Use a phrase that has a number at the end of it.

5.2.4.4.2 After building the password, intermix the numbers and characters in a way that you can remember.

5.2.4.4.3 Put the answer part of the phase before the question.

5.2.4.4.4 Sometimes use capital letters, and sometimes use lower case letters. Use unusual capitalization in your phrase.

5.2.4.4.5 Use a numerical representation of the letters of the alphabet for part of your phrase or one word in your phrase. For example A is 1, B is 2, C is 3, etc.

5.2.4.4.6 Use punctuation or special characters in part of your phrase.

5.2.5 Some Examples

5.2.5.1 In these examples, threw in punctuation, usually at the end, but it could be applied at the beginning or in the case of passwords built with question/answer phrases, punctuation would work well in the middle.

5.2.5.1.1 Using a phrase with a number at the end of it. Example: My Favorite number is 333. Password: “MFNI333.” or “yaus333.” depending on whether the first or second character is used.

5.2.5.1.2 Using a phrase with a question and answer and numerical representation of the first letters of the answer. Example: My favorite song is “Dust in the Wind”. Password: “MFSI492023!”

5.2.5.1.3 Using a phrase with a question and answer and numerical representation of all the letters in the answer. Examples:

The name of my favorite grandchild is Tim. Password: “tnomfgi#20913".

The name of my favorite aunt is Lois. Password: “Tnomfai1215919”.

My aunt's name is Lois. Password: “%mani1215919”.

5.2.5.1.4 Using a phrase with a numerical representation of one word in the phrase. Example: Give me liberty or give me death. Password: “GML^1516gmd”.

5.2.5.1.5 Using a phrase with some punctuation or special characters. Example:

My aunt's name is Sita. Password: “m@n!S199201”.

My first college friend is Ram. Password: “mfcfir!18113".

5.2.5.2 In many of the above examples, it is easy to throw in punctuation such as a ? when part of your phrase may be a question. If your phrase involves numbers or you work with numbers regularly, $, %, and # may be easy to use in your password and still remember. If your phrase uses the word "and" or "or", you can substitute "&" or "|". Also you can split your password with "/" or "\".Also remember to use upper and lower case letters in different parts of your password in ways that are easy for you to recall.

6. Password Protection Standards

6.1 Do not use the same password for <Company Name> accounts as for other non-<Company Name> access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various <Company Name> access needs. For example, select one

password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account.

6.2 Do not share organization’s passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential organization information.

6.3 Here is a list of "don'ts" and “never”:

6.3.1 Don't reveal a password over the phone to ANYONE

6.3.2 Don't reveal a password in an email message

6.3.3 Don't reveal or share a password even to the boss or family members or co-workers.

6.3.4 Don't talk about a password in front of others

6.3.5 Don't hint at the format of a password (e.g., "my family name")

6.3.6 Don't reveal a password on questionnaires or security forms

6.3.7 Don't use common words or reverse spelling of words in part of your password.

6.3.8 Don't use names of people or places as part of your password.

6.3.9 Don't use part of your login name in your password.

6.3.10 Don't use parts of numbers easily remembered such as phone numbers, social security numbers, or street addresses.

6.4 Here is a list of “never”:

6.4.1 Never share a user account and password

6.4.2 Never use the same password for more than one account

6.4.3 Never write down a password, however if you have written to remember then keep it in secure place where only your access will be granted.

6.4.4 Never include a password in a non-encrypted stored document.

6.4.5 Never use the “Remember Password” feature of application programs such as internet browser (Internet Explorer, Mozilla Firefox, Google Chrome, and Safari etc), your e-mail program, or any program.

6.4.6 Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http://

6.5 If someone demands a password, refer them to this document or have them call someone in the Information Security Department.

6.6 Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

6.7 Change passwords at least once every three months (except system-level passwords which must be changed monthly). The recommended change interval is every month.

6.8 If an account or password is suspected to have been compromised, report the incident to Information Security and change all passwords.

6.9 Password cracking or guessing may be performed on a periodic or random basis by Information Security or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

7. Application Development Standards

7.1 Application developers must ensure their programs contain the following security precautions. The application:

7.1.1 Should support authentication of individual users, not groups.

7.1.2 Should not store passwords in clear text or in any easily reversible form.

7.1.3 Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

7.1.4 Should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.

8. Use of Passwords and Passphrases for Remote Access Users

8.1 Access to the organization Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

9. Passphrases

9.1 Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.

9.2 Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is

typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks."

9.3 A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: "The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

9.4 All of the rules above that apply to passwords apply to passphrases.

10. One time password

10.1 Presently, people are using one time password to secure their system and transaction. These passwords are available in USB tokens or in smart cards that are called OTP Smart Card Tokens or secure ID tokens. The password produced by tokens can be used only in one time, next time new password will be produced. The OTP password is more secured than the password generated and maintained by other techniques.

11. Enforcement

10.1 Any employee found to have violated this practices may be subject to disciplinary action.

प्रमाणीकरण नियन्त्रकको कार्यालय

विज्ञान तथा प्रविधि मन्त्रालय

सिंहदरवार काठमाण्डौ