Password Management Guidelines


USERS

When creating a password please use the following rules to make it more secure:

  • Do not use a password that you have used in the past
  • Try to change the password at least every 3 months
  • Create a password that is at least eight characters long (the longer the better)
  • Create a password with both digits and letters
  • Do not create a password with a family name, pet or other outwardly recognisable link
  • Create a password that is not in a dictionary
  • Create passwords with spaces in them (if allowed)

 

SYSTEM ADMINISTRATORS

Use the following guidelines to help secure your network and computers:

  • Require that passwords be changed 3 months (90 days). Almost all network operating systems have features that prompt users to change password once the specified time is up
  • Set a minimum password length - most network operating systems support the ability to set a minimum password length
  • Set‐up password history if available - If the network operating system supports password history
  • Enable it to prevent the same password from being used
  • Enable account lockout threshold - this option disables an account after so many attempts - generally 3 attempts with duration of 60 minutes is sufficient

 

PROTECTING YOUR PASSWORD

  • Never store your password on your computer except in an encrypted form. Note that the password cache that comes with windows (.pwl files) is NOT secure, so whenever windows prompts you to "Save password" don't
  • Don't tell anyone your password, not even your system administrator
  • Never send your password via email or other unsecured channel
  • If you need to, write your password down but don't leave the paper lying around, lock the paper away somewhere, preferably off‐site and definitely under lock and key
  • Be very careful when entering your password with somebody else in the same room
  • Never leave your computer on when unattended. Use Ctrl‐ Alt‐ Del and lock it