Password policy

From Security Wiki
Jump to navigationJump to search

Password Policy

created January 13, 2005

Passwords selected by a user should not be easily guessable by password guessing programs (like crack, john-the-ripper, l0phtcrack or similar password guessing programs). The Security Technologies group shall audit SDSC passwords and if easily guessable passwords are discovered the user shall be contacted and the password shall be immediately changed to a password that is not easily guessable.

Password Selection Standard

SDSC system administration staff and Security Technologies will provide password changing interfaces that implement password strength checking at the time the password is selected. Exceptions can be granted by the Manager of Security Technologies.

Password Selection Guidelines

From the SDSC User Responsibilities policies, users are required to protect his or her SDSC password(s) and individual account passwords are never to be shared. Users who believe a password has been compromised should change that password immediately and notify SDSC Security Technologies staff.

The specific character composition of a password and the length of time a password should remain valid are not defined by the SDSC Password Policy. Recommendations are made for password composition in the User and System Administrator Guidelines. It is recommended that passwords be a minimum of 8 characters and employ the use of case and special characters. Doing so will make the password harder to guess by password guessing programs.