1. Introduction
1.1 A secure password practices is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A secure password practices is often part of an organization's official regulations and may be taught as part of security awareness training. The secure password practices may either be advisory or mandated by technical means.
2. Overview
2.1 Passwords are an important aspect of computer and information
security. They are the front line of protection for user accounts. A poorly
chosen password may result in the compromise of organization's entire corporate
network. As such, all organization’s employees (including contractors, vendors
and other external entities with access to organization systems) are
responsible for taking the appropriate steps, as outlined below, to select and
secure their passwords.
2.2 All employees that have access to organizational information systems must adhere to the password practices defined below in order to protect the security of the network, protect data integrity, and protect computer systems.
3. Purpose
3.1 The purpose of these practices is designed, to protect organizational resources on the network by requiring strong password, to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. These practices may not hundred percent guarantees to secure the information system of the organization; however this practices will help to ensure only till the digital signature has not been introduced.
4. Scope
4.1 The scope of this practices includes all personnel who have or are
responsible for an account (or any form of access that supports or
requires a password) on any system that resides at any organization facility, has access to the organization’s network, information system and or stores any non-public organization information. But practices are not limited to a domain account and e-mail account.
5. Password Practices
5.1 General password Practices
5.1.1 All system-level passwords (e.g., root, enable, NT admin,
application administration accounts, etc.) must be changed on at least a
quarterly basis.
5.1.2 All production system-level passwords must be part of the
Information Security administered global password management database.
5.1.3 All user-level passwords (e.g., email, web, desktop computer,
etc.) must be changed at least every two months. The recommended change
interval is every month.
5.1.4 User accounts that have system-level privileges granted through
group memberships or programs such as "sudo" must have a unique
password from all other accounts held by that user.
5.1.5 Account lockout threshold - 4 failed login attempts.
5.1.6 Where SNMP (Simple Network Management Protocol) is used, the
community strings must be defined as something other than the standard defaults
of "public," "private" and "system" and must be
different from the passwords used to log in interactively. A keyed hash must be
used where available (e.g., SNMPv2).
5.1.7 All user-level and system-level passwords must conform to the
guidelines described below.
5.1.8 Password history - Require a number of unique passwords before
an old password may be reused. This number should be no less than 24.
5.1.9 Reset account lockout after - The time it takes between bad login attempts before the count of bad login attempts is cleared. The recommended value as of the date of writing this article is 20 minutes. This means if there are three bad attempts in 20 minutes, the account would be locked.
5.1.10 Account
lockout duration - Some experts recommend that the administrator reset the
account lockout so they are aware of possible break in attempts on the network.
However this will cause a great deal
of additional help desk calls. Therefore depending on the situation,
the account lockout should be between 30 minutes and 2 hours.
5.1.11 Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and select "Lock Computer".
5.1.12 Rules that apply to passwords apply to passphrases which are
used for public/private key authentication.
5.1.13 Do not use the "Remember Password" feature of
applications (e.g., Eudora, Out-Look, Netscape Messenger, Internet explorer and
other browsers).
5.1.14 Do not access your organization information system, where your password is required, from the public network especially from the cyber café.
5.2 A. General Password Construction Guidelines
5.2.1 Passwords
are used for various purposes at <Company Name>. Some of the more common
uses include: user level accounts, web accounts, email accounts, screen saver
protection, voicemail password, and local router logins. Since very few systems
have support for one-time tokens (i.e., dynamic passwords which are only used
once), everyone should be aware of how to select strong passwords. Passwords
having the following characteristics are generally considered as weak password:
5.2.1.1 The password contains less than fifteen characters
5.2.1.2 The password is a word found in a dictionary (English or
foreign)
5.2.1.3 The
password is a common usage word such as:
5.2.1.3.1 Names of family, pets, friends, co-workers, fantasy characters, etc.
5.2.1.3.2 Computer terms and names, commands, sites, companies,
hardware, software.
5.2.1.3.3 The words "<Company Name>",
"sanjose", "sanfran" or any derivation.
5.2.1.3.4 Birthdays and other personal information such as addresses
and phone numbers.
5.2.1.3.5 Word
or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
5.2.1.3.6 Any of the above spelled backwards.
5.2.1.3.7 Any of
the above preceded or followed by a digit (e.g., secret1, 1secret)
5.2.2 Strong
passwords have the following characteristics:
5.2.2.1 Contain both upper and lower case characters (e.g., a-z, A-Z)
5.2.2.2 Have digits and punctuation characters as well as letters
e.g., 0-9, !@#$%^&*()_+|~- =\`{}[]:";'<>?,./)
5.2.2.3 Are at least fifteen alphanumeric characters long and is a
passphrase (Ohmy1stubbedmyt0e).
5.2.2.4 Are not words in any language, slang, dialect, jargon, etc.
5.2.2.5 Are not based on personal information, names of family, etc.
5.2.2.6 Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
5.2.2.7
Passwords are case sensitive and the user name or login ID is not case
sensitive.
5.2.3 Do not use either of these examples as passwords!
5.2.4 Creation
of Password using phrase
5.2.4.1 Embed a word or part of a word within another.
5.2.4.2 Misspell a word deliberately especially if you use a word for
part of your password.
5.2.4.3 Interleave two or more words.
5.2.4.4 Use a
phrase that is personal to you and use the first, second, or third character in
each word in each phrase. The Phrase can be a question and answer phrase. There
can be several variants to this approach:
5.2.4.4.1 Use a phrase that has a number at the end of it.
5.2.4.4.2 After building the password, intermix the numbers and
characters in a way that you can remember.
5.2.4.4.3 Put the answer part of the phase before the question.
5.2.4.4.4 Sometimes use capital letters, and sometimes use lower case
letters. Use unusual capitalization in your phrase.
5.2.4.4.5 Use a numerical representation of the letters of the
alphabet for part of your phrase or one word in your phrase. For example A is
1, B is 2, C is 3, etc.
5.2.4.4.6 Use punctuation or special characters in part of your phrase.
5.2.5 Some Examples
5.2.5.1 In these
examples, threw in punctuation, usually at the end, but it could be applied at
the beginning or in the case of passwords built with question/answer phrases,
punctuation would work well in the middle.
5.2.5.1.1 Using a phrase with a number at the end of it. Example: My
Favorite number is 333. Password: “MFNI333.” or “yaus333.” depending on whether
the first or second character is used.
5.2.5.1.2 Using a phrase with a question and answer and numerical
representation of the first letters of the answer. Example: My favorite song is
“Dust in the Wind”. Password: “MFSI492023!”
5.2.5.1.3 Using a phrase with a question and answer and numerical representation of all the letters in the answer. Examples:
The name of my
favorite grandchild is Tim. Password: “tnomfgi#20913".
The name of my
favorite aunt is Lois. Password: “Tnomfai1215919”.
My aunt's name
is Lois. Password: “%mani1215919”.
5.2.5.1.4 Using a phrase with a numerical representation of one word
in the phrase. Example: Give me liberty or give me death. Password:
“GML^1516gmd”.
5.2.5.1.5 Using a phrase with some punctuation or special characters. Example:
My aunt's name is Sita. Password: “m@n!S199201”.
My first college
friend is Ram. Password: “mfcfir!18113".
5.2.5.2 In many of the above examples, it is easy to throw in punctuation such as a ? when part of your phrase may be a question. If your phrase involves numbers or you work with numbers regularly, $, %, and # may be easy to use in your password and still remember. If your phrase uses the word "and" or "or", you can substitute "&" or "|". Also you can split your password with "/" or "\".Also remember to use upper and lower case letters in different parts of your password in ways that are easy for you to recall.
6. Password Protection Standards
6.1 Do not use
the same password for <Company Name> accounts as for other
non-<Company Name> access (e.g., personal ISP account, option trading,
benefits, etc.). Where possible, don't use the same password for various
<Company Name> access needs. For example, select one
password for the Engineering systems and a separate password for IT
systems. Also, select a separate password to be used for an NT account and a
UNIX account.
6.2 Do not share organization’s passwords with anyone, including
administrative assistants or secretaries. All passwords are to be treated as
sensitive, confidential organization information.
6.3 Here is a list of "don'ts" and “never”:
6.3.1 Don't reveal a password over the phone to ANYONE
6.3.2 Don't reveal a password in an email message
6.3.3 Don't reveal or share a password even to the boss or family
members or co-workers.
6.3.4 Don't talk about a password in front of others
6.3.5 Don't hint at the format of a password (e.g., "my family
name")
6.3.6 Don't reveal a password on questionnaires or security forms
6.3.7 Don't use common words or reverse spelling of words in part of
your password.
6.3.8 Don't use names of people or places as part of your password.
6.3.9 Don't use part of your login name in your password.
6.3.10 Don't use
parts of numbers easily remembered such as phone numbers, social security
numbers, or street addresses.
6.4 Here is a
list of “never”:
6.4.1 Never share a user account and password
6.4.2 Never use the same password for more than one account
6.4.3 Never write down a password, however if you have written to
remember then keep it in secure place where only your access will be granted.
6.4.4 Never include a password in a non-encrypted stored document.
6.4.5 Never use the “Remember Password” feature of application
programs such as internet browser (Internet Explorer, Mozilla Firefox, Google
Chrome, and Safari etc), your e-mail program, or any program.
6.4.6 Never use
your corporate or network password on an account over the internet which does
not have a secure login where the web browser address starts with https://
rather than http://
6.5 If someone demands a password, refer them to this document or have
them call someone in the Information Security Department.
6.6 Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
6.7 Change passwords at least once every three months
(except system-level passwords which must be changed monthly). The recommended
change interval is every month.
6.8 If an account or password is suspected to have been compromised,
report the incident to Information Security and change all passwords.
6.9 Password cracking or guessing may be performed on a periodic or random basis by Information Security or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.
7. Application Development Standards
7.1 Application
developers must ensure their programs contain the following security
precautions. The application:
7.1.1 Should support authentication of individual users, not groups.
7.1.2 Should not store passwords in clear text or in any easily
reversible form.
7.1.3 Should provide for some sort of role management, such that one
user can take over the functions of another without having to know the other's
password.
7.1.4 Should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.
8. Use of Passwords and Passphrases for Remote Access Users
8.1 Access to the organization Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.
9. Passphrases
9.1 Passphrases are generally used for public/private key
authentication. A public/private key system defines a mathematical relationship
between the public key that is known by all, and the private key, that is known
only to the user. Without the passphrase to "unlock" the private key,
the user cannot gain access.
9.2 Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is
typically composed of multiple words. Because of this, a passphrase is
more secure against "dictionary attacks."
9.3 A good passphrase is relatively long and contains a combination of
upper and lowercase letters and numeric and punctuation characters. An example
of a good passphrase: "The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"
9.4 All of the rules above that apply to passwords apply to passphrases.
10. One time password
10.1 Presently, people are using one time password to secure their system and transaction. These passwords are available in USB tokens or in smart cards that are called OTP Smart Card Tokens or secure ID tokens. The password produced by tokens can be used only in one time, next time new password will be produced. The OTP password is more secured than the password generated and maintained by other techniques.
11. Enforcement
10.1 Any employee found to have violated this practices may be subject to disciplinary action.
प्रमाणीकरण
नियन्त्रकको कार्यालय
विज्ञान तथा प्रविधि
मन्त्रालय
सिंहदरवार काठमाण्डौ