Back to T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
All users should be advised to:
- A. Keep secret authentication confidential, ensuring that they are not divulged to any other parties, including people of authority;
- B. Avoid keeping a record (e.g. paper, software file or hand-held device- of security credentials, unless this can be stored securely and the method of storing has been approved (e.g. password vault);
- C. Change security credentials whenever there is any indication of their possible compromise;
- D. When passwords are used as security credentials, select quality passwords with sufficient minimum length which are:
1) Easy to remember
2) Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.;
3) Not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries)
4) Free of consecutive identical, all-numeric or all-alphabetic characters
- E. Change temporary passwords at the first log-on
- F. Not share individual user’s security credentials
- G. When passwords are used as security credentials in automated logon procedures, these should not be stored without proper protection
- H. Not use the same security credentials for business and non-business purposes
If users need to access multiple services, systems or platforms, and they are required to maintain multiple separate passwords, they should be advised that they may use a single, quality password (see d) for all services where the user is assured that a reasonable level of protection has been established for the storage of the password within each service, system or platform.
