Overview
Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems or data. This guideline provides best practices for creating secure passwords.
Purpose
The purpose of these guidelines is to provide best practices for the creation of strong passwords.
Standard Device Scope
This guideline applies to employees, contractors, consultants, temporary and other workers at InContext Solutions, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, and local router logins.
Statement of Guidelines for Standard Devices
All passwords should meet or exceed the following guidelines.
Strong passwords have the following characteristics:
-
Contain at least 10 characters in length or greater.
-
Does not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
-
Contain characters from 3 of the following 4 categories:
-
English uppercase characters (A through Z)
-
English lowercase characters (a through z)
-
Base 10 digits (0 through 9)
-
Non-alphabetic characters (for example, !, $, #, %)
-
-
Complexity requirements are enforced when passwords are changed or created.
Poor, or weak, passwords have the following characteristics:
-
Contain less than ten characters.
-
Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
-
Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
-
Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
-
Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
-
Contain common words spelled backward or preceded or followed by a number (for example, terces, secret1 or 1secret).
-
Are some version of "Welcome123" "Password123" "Changeme123"
You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.
(NOTE: Do not use either of these examples as passwords!)
Passphrases
Passphrases are used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to unlock the private key, the user cannot gain access.
A passphrase is like a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters (for example, TheTrafficOnThe101Was*&!$ThisMorning!).
Non-Standard Device Scope
This guideline applies to employees, contractors, consultants, temporary and other workers at InContext Solutions, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to voicemail, mobile devices and devices without a physical keyboard.
Statement of Guidelines for Non-Standard Devices
All passwords should meet or exceed the following guidelines.
Passwords have the following characteristics:
- Contain at least 4 numeric characters (for example, 0-9).
Poor, or weak, passwords have the following characteristics:
-
Contain less than 4 characters.
-
Contain number patterns such as 1234 or 1111.
You should never write down a password. Instead, try to create passwords that you can remember easily.
Passphrases
Passphrases generally are used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to unlock the private key, the user cannot gain access.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Related Standards, Policies and Processes
None.
Definitions and Terms
None.
Revision History
| Date of Change | Responsible | Summary of Change |
|---|---|---|
| February 2015 | ICS InfoSec Team | Separated out from the Password Policy and converted to new format. |
| April 2016 | ICS InfoSec Team | Created separate policies for standard devices and non-standard devices |
| August 2017 | ICS InfoSec Team | Annual policy review, no change |
| August 2018 | ICS InfoSec Team | Annual policy review, no change |
| August 2019 | ICS InfoSec Team | Annual policy review, no change |
| October 2020 | ICS InfoSec Team | Annual policy review, modified Strong password definition with latest standard |
| June 2022 | ICS InfoSec Team | Annual policy review, minor grammatical fixes. |
| February 2023 | ICS InfoSec Team | Annual policy review, no change |
| November 2024 | ICS InfoSec Team | Annual policy review; minor typo fixes. |
| March 2026 | ICS InfoSec Team | Published to Trust Center |