Protect Your Windows Network: From Perimeter to Data

A password policy really needs to be tailored to your environment, and we are reluctant to give one here because of that. However, bowing to pressure, here is a minimal password policy:

• Passwords must consist of at least 8 characters , and must use one from each character set of uppercase, lowercase, numbers, and symbols. Symbols that do not appear on the top row (above the numbers ) on the keyboard are stronger than the 14 on the top row and are therefore preferred in a password.

• Passwords should be changed every 90 days. Notification will be given 14 days in advance of password expiration.

• Passwords must not contain any part of the user 's name or logon name . In addition, passwords must not contain any unmodified dictionary words, names of relatives, pets, locations, or other items that are in common use in the predominant language at the site.

• Passwords must not be reused across systems. For users with multiple accounts, for example, in the data center and in the corporate domain, using the same password on these accounts is grounds for termination. Likewise, any user found using a corporate password on a public system, such as a public Web site or e-mail system, may be terminated .

• Use of pass phrases is highly encouraged. Pass phrases are exactly what they sound likephrases used for passwords. An example of a pass phrase is a sentence such as "We enforce good passwords at our site!" A pass phrase is the only time a dictionary word may be used for logon. However, it is highly encouraged that users modify the pass phrase to make it less obvious. For instance, character substitutions are highly worthwhile with pass phrases. One option is to replace one or more occurrences of some character with some other character. For instance, you may replace the character e with the character 8. Use your imagination and you will be able to generate very good passwords.

• It is permissible to write down your password. However, any employee found to be leaving a note or document containing passwords in a location ordinarily accessible to other users is subject to immediate termination. This includes posting passwords on monitors , leaving the note under the keyboard, on a corkboard, or anywhere else where someone may find it. Keeping passwords on a USB token is acceptable as long as the USB token is adequately controlled. Similarly, keeping a note with the current password in your wallet, or in a safe, is acceptable. All notes, documents, or devices that contain passwords must be securely destroyed when they are no longer needed. They should be deposited in the secure disposal bins available in all copy rooms.

• Use of third-party password generators is prohibited without prior approval by corporate security. Approved password generators are available at <insert internal Web site here>. The rationale for this policy is that some password generators are designed to lure users to generate passwords that are stored by the password generator for later use in attacking the organization the user works for. Using a nonapproved password generator is grounds for disciplinary action, up to and including termination of employment.

• Any employee found to be attacking passwords in any way, including but not limited to, guessing, cracking, or attempting to coerce other employees to give up their password, without prior approval from the chief security officer is subject to immediate termination. Criminal action may also be brought against anyone attempting to attack the password system, or any other system to which the person does not have access.