IT Baseline Protection Manual S 2.11 Provisions governing the use of passwords
S 2.11 Provisions governing the use of passwords
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT security management, users
If passwords are used for authentication in an IT system, the safety of the management of access privileges of the system will decisively depend on the correct use of the respective passwords. For this purpose, it is advisable to introduce a set of provisions governing password use and to inform the users accordingly.
The following rules regarding password use should be observed:
It must not be possible to guess the password as easily as names, motor vehicle licence numbers, birth dates, or the like.
The password should consist of at least one non-letter character (special character or number).
The password should consist of at least 6 characters. The number of password characters checked by the computer must be tested.
Preset passwords (e.g. by the manufacturer at the time of delivery) must be replaced by individually selected passwords.
Passwords must not be stored on programmable function keys.
The password must be kept secret and should only be known personally to the user.
The password should be laid down in writing only for the purpose of ist escrowing whereby it is kept safely in a sealed envelope. If an additional written record is made, the password should be kept at least as safely as a check identification card or a bank note (c.f. S 2.22 Depositing of passwords).
The password must be altered regularly, e.g. every 90 days.
The password should be altered if it has come to the knowledge of unauthorised persons.
After any alteration of the password, previous passwords should no longer be used.
Entry of the password should be made away from general view.
Where feasible in data processing terms, the following complementary rules should be observed:
The selection of trivial passwords (BBBBBB, 123456) must be prevented.
Every user must be able to alter his own password at any time.
For initial log-on of new users, one-time passwords should be assigned, i.e. passwords which must be changed after their first use. In networks in which passwords are transferred in non-encrypted form, the constant use of one-time passwords is recommended (c.f. S 5.34 Use of one time passwords).
After three unsuccessful attempts to enter the correct password, a lockout should be imposed which can only be cancelled by the system administrator.
During authentication of networked systems, passwords should not be transmitted in an unencrypted form.
The password must be entered covertly, i.e. the input will not be displayed on the monitor.
Passwords should be stored in the system in a way preventing unauthorised access, e.g. by means of one-way encryption.
Password alteration must be initiated by the system on a regular basis.
Re-use of previous passwords in the case of password alteration should be prevented by the IT system (password history).
Additional controls:
Have users been informed on how to handle passwords correctly?
