Best Practices for Passwords
Passwords are a critical part of information security and privacy. Passwords serve to protect your accounts, but a poorly chosen password, if compromised, could put your privacy and finances at risk. As a result, you are encouraged to take appropriate steps to ensure that you create strong, secure passwords and keep them safeguarded at all times
The following is some information that is helpful in creating, protecting, and changing passwords such that they are strong, secure, and protected.General
- Passwords should be changed every 90 days.
- Old passwords should not be re-used for a period of 24 months.
- Passwords should conform to the guidelines outlined below.
Password Construction Guidelines
Passwords are used to access any number of online systems, including personal computers, e-mail, financial accounts, and commerce websites. Poor, week passwords are easily cracked, and put your privacy at risk. Therefore, strong passwords are strongly encouraged. Try to create a password that is also easy to remember.
- Passwords should not be based on well-known or easily accessible personal information.
- Passwords should contain at least 8 characters.
- Passwords should start with a letter.
- Passwords should contain at least 1 uppercase letter (e.g. N) and 5 lowercase letters (e.g. t).
- Passwords should contain at least 1 numerical character (e.g. 5).
- Passwords should contain at least 1 special character (e.g. $).
- Passwords should not be based on your personal information or that of your friends, family members, or pets. Personal information includes name, birthday, address, phone number, social security number, or any permutations thereof.
- Passwords should not be words that can be found in a standard dictionary (English or foreign) or are publicly known slang or jargon.
- Passwords should not be based on publicly known fictional characters from books, films, etc.
- Passwords should not be based on your company's name or geographic location.
Password Protection Guidelines
- Passwords should be treated as confidential information. You should never give your password to another person.
- You should never transmit your password electronically over the unprotected internet, such as via e-mail or unsecure websites.
- You should not keep an unsecured written record of your passwords, either on paper or in an electronic file. If it proves necessary to keep a record of a password, then it should be kept in a safe in hardcopy form, or in an encrypted file if in electronic form (e.g. the password-protection feature for a Microsoft Word document).
- Do not use the "Remember Password" feature of applications.
- Passwords should not be duplicated. Do not use the same password for all of your protected systems.
- If you suspect that your password has been compromised, it should be changed immediately.