Scribd Logo
Upload

Welcome to Scribd!

  • 197 views

    Password Construction Guidelines

    Uploaded by

    Radziman Rahman
    This document provides guidelines for creating strong passwords to protect user accounts and sensitive information. It recommends passwords be a minimum of 14 characters, including passphrases with multiple words. Poor passwords are eight characters or less and contain personal information or predictable patterns. The guidelines also encourage using a password manager and multi-factor authentication when possible. Compliance is measured through audits and violations may result in discipline up to termination.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Password Construction Guidelines

    Uploaded by

    Radziman Rahman
    197 views2 pages
    This document provides guidelines for creating strong passwords to protect user accounts and sensitive information. It recommends passwords be a minimum of 14 characters, including passphrases with multiple words. Poor passwords are eight characters or less and contain personal information or predictable patterns. The guidelines also encourage using a password manager and multi-factor authentication when possible. Compliance is measured through audits and violations may result in discipline up to termination.

    Original Title

    Password Construction Guidelines (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides guidelines for creating strong passwords to protect user accounts and sensitive information. It recommends passwords be a minimum of 14 characters, including passphrases with multiple words. Poor passwords are eight characters or less and contain personal information or predictable patterns. The guidelines also encourage using a password manager and multi-factor authentication when possible. Compliance is measured through audits and violations may result in discipline up to termination.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    197 views2 pages

    Password Construction Guidelines

    Uploaded by

    Radziman Rahman
    This document provides guidelines for creating strong passwords to protect user accounts and sensitive information. It recommends passwords be a minimum of 14 characters, including passphrases with multiple words. Poor passwords are eight characters or less and contain personal information or predictable patterns. The guidelines also encourage using a password manager and multi-factor authentication when possible. Compliance is measured through audits and violations may result in discipline up to termination.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 2

    Consensus Policy Resource Community

    Password Construction Guidelines


    Free Use Disclaimer: This policy was created by or for the SANS Institute for the
    Internet community. All or parts of this policy can be freely used for your organization.
    There is no prior approval required. If you would like to contribute a new policy or
    updated version of this policy, please send email to [email protected].

    Last Update Status: Updated October, 2017

    1. Overview
    Passwords are a critical component of information security. Passwords serve to protect user
    accounts; however, a poorly constructed password may result in the compromise of individual
    systems, data, or network. This guideline provides best practices for creating secure passwords.

    2. Purpose
    The purpose of this guidelines is to provide best practices for the created of strong passwords.

    3. Scope
    This guideline applies to employees, contractors, consultants, temporary and other workers,
    including all personnel affiliated with third parties. This guideline applies to all passwords
    including but not limited to user-level accounts, system-level accounts, web accounts, e-mail
    accounts, screen saver protection, voicemail, and local router logins.

    4. Statement of Guidelines
    Strong passwords are long, the more characters you have the stronger the password. We
    recommend a minimum of 14 characters in your password. In addition, we highly encourage the
    use of passphrases, passwords made up of multiple words. Examples include “It’s time for
    vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type, yet
    meet the strength requirements. Poor, or weak, passwords have the following characteristics:

     Contain eight characters or less.


     Contain personal information such as birthdates, addresses, phone numbers, or names
    of family members, pets, friends, and fantasy characters.
     Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
     Are some version of “Welcome123” “Password123” “Changeme123”

    SANS Institute 2014 – All Rights Reserved Page 1


    Consensus Policy Resource Community

    In addition, every work account should have a different, unique password. To enable users to
    maintain multiple passwords, we highly encourage the use of ‘password manager’ software that
    is authorized and provided by the organization. Whenever possible, also enable the use of multi-
    factor authentication.

    5. Policy Compliance
    5.1 Compliance Measurement
    The Infosec team will verify compliance to this policy through various methods, including but
    not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external
    audits, and feedback to the policy owner.

    5.2 Exceptions
    Any exception to the policy must be approved by the Infosec team in advance.

    5.3 Non-Compliance
    An employee found to have violated this policy may be subject to disciplinary action, up to and
    including termination of employment.

    6 Related Standards, Policies and Processes


    None.

    7 Definitions and Terms


    None.

    8 Revision History

    Date of Change Responsible Summary of Change

    June 2014 SANS Policy Team Separated out from the Password Policy and
    converted to new format.

    October, 2017 SANS Policy Team Updated to reflect changes in NIST SP800-63-3

    SANS Institute 2014 – All Rights Reserved Page 2

    You might also like