S 2.11 Provisions governing the use of passwords

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, User

If passwords are used for authentication in an IT system or an application, the security of the site and data access rights management of the system decisively depends on the correct use of the passwords. It is recommend to introduce a provision governing the password usage and to instruct the IT users accordingly.

The password design specifications must always constitute a practicable compromise between the following security objectives:

• The character composition of the password must be complex enough that it is difficult to guess the password.
• The number of possible passwords in the defined scheme must be sufficiently high so that the password cannot be determined after a short time by a simple trial and error approach.
• The password should not be too complicated so that the owner is able to memorise the password without too much effort.

For these reasons, the following password usage rules should be considered:

• The password must not be easy to guess. Names, license plate numbers, birth dates, etc., must not be allowed as passwords for exactly this reason.
• A password should consist of capital letters, minor letters, special characters, and numbers. At least two of these conditions should be implemented.
• If alphanumeric characters can be selected for the password, the password should be at least 8 characters long.

• If numbers only are allowed to be used in the password, the password should be at least 6 characters long and the authentication system should block any access to the account (for a certain time or permanently) after a few failed log-in attempts.
• The number of characters in the password that are actually checked by the computer must be tested.
• Default passwords (e.g. passwords set by the manufacturer before delivering a system) must be replaced by individual passwords.
• Storing passwords in programmable function keys must be prohibited.
• Passwords must be kept secret, and only the user should know his/her password.

• The password should be written down for safekeeping if necessary, in which case it must be stored securely in a sealed envelope. If the password is written down more than once, the other copies must be stored at least as securely as a cheque card or a bank note (see S 2.22 Depositing the password).
• The password must be changed regularly, for example every 90 days.
• The password must be changed if it is suspected or discovered that unauthorised persons have obtained the password.
• Old passwords should not be reused when changing passwords.
• The password should only be entered when unobserved.

If technically possible with your IT, the following general conditions should be met:

• The selection of trivial passwords (e. g. "BBBBBBBB" or "123456", names, dates of birth) should be prevented.
• Every user must be able to change his/her password at any time.

• When a new user logs in for the first time, a one-time password should be assigned, i.e. a password that needs to be changed directly after use. In networks where passwords are transmitted in unencrypted form, it is recommended to use one-time passwords at all times (see S 5.34 Use of one-time passwords).

• Unsuccessful login attempts should be rejected by a brief error message which does not contain any specific details. In particular, the message appearing in the event of unsuccessful login attempts should not indicate whether the entered user name or password (or both) were incorrect. After five successive unsuccessful attempts to enter a password for the same user ID, the authentication system should block any access for the corresponding user ID (for a certain time or permanently). The fact that a user ID has been blocked must not be recognisable in the messages appearing for all subsequent unsuccessful attempts to log in. Instead, the corresponding user should be informed that his account has been blocked via a separate route.
• When providing authentication in networked systems, the passwords should not be transmitted in unencrypted form, not even in the intranet. If authentication is performed over an insecure network, then the passwords must never be transmitted in unencrypted form.
• The password should not be displayed on the screen when it is entered.
• The passwords must be stored in the system in a secure form, for example using one-way encryption methods (hash functions).
• The system should trigger a password change regularly.
• The use of old passwords when changing the password should be prevented by the IT system (password history).

Review questions:

• Is there a binding provision for using passwords?
• Were the users instructed to use sufficiently complex passwords in line with the protection requirements?
• Were the users instructed to not to disclose their password?
• Was a test as to how many characters of the password are actually checked by the IT system implemented?
• Are the passwords changed at regular intervals?
• Are the passwords changed immediately once they become known or allegedly become known to unauthorised persons?
• In the event of unsuccessful log-in attempts: Is the user not informed of whether user name and/or password were incorrect?