Messing around with passwords can be a very tedious process. Especially since there are no clear guidelines on how to choose secure passwords and what other processes can be found in modern IT infrastructures.
This blog entry explains the minimum standards for providing, maintaining, and safeguarding account passwords and is being used for all IT systems including external cloud services, software as a service offerings and third-party systems. These requirements are based on an overall assessment of industry standards and common risk assessments.
Out of scope
In the situation of conflicting legal, regulatory, or contractual obligations, exceptions to these norms may be allowed. Furthermore, if a business unit is unable to achieve these basic standards, a formal exception must be obtained through the appropriate security exception process.
Handling of default passwords
External businesses, such as manufacturers or suppliers, set default passwords.
These passwords must be updated as quickly as feasible and, at the very least, before they are used in production. Default passwords oppose a huge security risk and are used by many attackers for malicious purposes.
Regular user accounts are not authorized to perform privileged or administrative duties. For example, all typical corporate users are classified as non-privileged users. These criteria also serve as the foundation for any password that is not specifically stated elsewhere in this paper.
Passwords must contain a minimum of 15 characters.
A password has a minimum validity time of one day. This guarantees that the password history rules are not broken. There is no minimum validity time if a password management system is in place that automatically expires passwords after usage. The maximum validity term is 365 days.
A privileged user account is one that is authorized to perform additional functions that a non-privileged user is not authorized to perform. An administrative user account has permissions to stop, start or modify an IT Systems or services. This includes the user and role management for a specific IT System or service. These accounts include, but are not limited to, highly privileged user accounts that can access sensitive IT systems or services containing customer data.
Passwords must contain a minimum of 32 characters.
The minimum period of validity for a password is 1 day. If a password management solution is in place that automatically resets the passwords after use, there is no minimum validity period.
The maximum period of validity is 90 days. If a privileged access management solution is used, the maximum validity period is 45 days.
Service / Technical accounts
A service or technical account is created with the sole purpose of providing rights or permissions to a system service while it is running. This typically occurs in IT system/ service to IT system/service connections where there is no user interaction during the authentication process.
Passwords must contain a minimum of 42 characters. Where 42 characters are not possible due to the technical restrictions of authenticating service, an exception must be submitted.
The minimum period of validity for a password is 1 day. The maximum period of validity is 500 days.
Emergency accounts are highly privileged, are not allocated to a particular user, and must be used only in emergency circumstances such as catastrophe recovery whenever administrative login credentials cannot be utilized. These accounts must be carefully managed and documented.
The IT system or service owner must develop a safe password management procedure and submit it for assessment and approval by the appropriate security department. The requirements listed below apply solely to emergency access accounts and must be met all the time:
- Passwords must contain a minimum of 62 characters.
- Passwords must be updated as soon as the emergency use ends, and log files must be examined for misuse by an outside reviewer.
- The 4 eyes-principle must be followed while using emergency accounts.
- The use of an emergency account must be justified to the security department. An event must be triggered.
- Everyone who can access an emergency account must be monitored. In case of a job or role change, the associated emergency accounts must be locked as soon as possible.
- Every access must be monitored.
If the IT system or service solely contains non-critical data, such as demo or test systems, the password generating criterion may not apply. The IT system owner and the internal security department must authorize these exclusions. The exclusions do not apply to administrative or sensitive accounts.
There are no exceptions for privileged accounts. Every account with administrator privileges must be as secure as feasible. External systems that need sensitive passwords should not be used.
There mus be a total limit of 10 failed password before an account gets temporarily locked for a dedicated IP address.
The IT system or service owner must develop a safe mechanism for unlocking accounts and submit it to the security department for assessment and approval. Account unlocking without a password reset must be noted and monitored in order to detect suspicious activity. The account owner should be notified of the account unlock.
To reset an account’s password, the account owner must be securely recognized and be properly validated. The password reset must be sent to the account owner.
If one portion of a login attempt to an IT system fails, the user may just be alerted that the entire login operation has failed. The user should not be told whatever component of his or her login, username or password, was wrong.
10 golden rules for accounts and passwords
Passwords are an easy way for attackers to steal your personal information and do malicious activities. To easily protect your account against basic cyber attacks, you should follow the 10 golden rules:
- Use a unique for each account you create
- Make use of a well-known password management tool
- Don’t save passwords on computers that are accessible to other people
- Clear browser caches as well as the browser history before leaving the computer to prevent a transmission of credentials
- Don’t write down passwords or store them unencrypted in plain text
- Never share passwords with other people, including family members, peers or colleagues
- Monitor sensitive accounts and check the account activities to see whether someone accessed it
- Only create secure passwords following industry standards that are internationally recognized and well-established
- Avoid automatic password entering using scripts, application remembering or auto logins as good as possible.
- Never share your password with support personnel. They don’t need it for their work.
What not to do
While we already covered ways to come up with good passwords, we now take a look at things we should avoid at all costs. Passwords should not consist of:
- Any part of your username.
- Any dictionary word in any common language including dialects, slang or jargon.
- Any of your personal information such as pet names, dates or family member names.
- Any company information such as their name.
- Any word or number pattern, e. g. 112233 or qwertz.
- Any of the above spelled backwards.
- Any of the above preceded or followed by a digit, e. g. hello5.
- Common passphrases, e. g. song lyrics or popular quotes.
How can users create good passwords?
There are quite a few ways helping you to create a good password without much effort. The most helpful would be:
- Consider basing passwords on the first letters of a song title, affirmation, or other phrase with numbers and special characters. For example, the phrase might be: “This May Be One Way To Remember Me” and the password could be: “T$mAyBe1wAy2RMe!”
- Consider creating a passphrase consisting of words, symbols and numbers inserted into a phrase you can remember. For example “T!me for 3 teas AT 1:35.”
- Don’t use one of the previous 15 passwords or slightly modify any of them.
Always consider the complexity requirements. Every passwords must contain characters from all of the following categories:
- Arabic numbers, e. g. 1234
- Latin lowercase letters, e. g. abcd
- Latin uppercase letters, e. g. ABCD
- Non-alphanumeric symbols, e. g. !”§$
What if things go south?
All compromised or possibly compromised accounts must have their passwords changed right away if an IT system or service, account, or password is suspected to have been hacked. MFA must be needed or, if MFA is not enabled, the user account must be restricted until the password is reset.
In the event that someone tries to access a password without authorization, the incident must be reported right away as a security incident and a possible breach of personal information via the incident reporting procedure.