Appendix C

Guide to Password Selection and Management

Passwords should be changed regularly -- experts suggest the maximum use of a password for between three and six months. Systems that allow password expiration should be set within this range. Furthermore, users are advised to change the initial password on a new account immediately, since in most cases, once a password is changed, even system administrators will have no way of knowing a well-chosen password.

Passwords should never be reused. Systems that can prohibit reuse of old passwords in the new password selection process should be configured to do so, keeping a history of a minimum of seven old passwords to be disallowed.

User accounts should be deactivated when multiple unsuccessful attempts are made to enter the password. This is often a sign that an unauthorized user is attempting to break in. Experts recommend between three and five maximum attempts, and systems that permit locking accounts based on unsuccessful tries should be configured accordingly, based on the sensitivity of the system. When a user account is locked, the authorized user generally has to call the system administrator to have a new password set.

Passwords should be selected that are difficult to guess. Passwords should not be middle names, phone numbers, pet names or variations on the username (login name). In addition, passwords should not be any word that is found in a dictionary, forward or backwards, as dictionary searches can be automated. Passwords should be at least six characters in length and contain a mix of upper and lower case alphabetic with non-alphabetic characters (numerals or punctuation).

A good way to build a password is to use a phrase that you can easily remember, using numbers and symbols. For example, "One is the loneliest number by Harry Nilsson" can be used to build the password 1itl#bHN. Or "sixteen ounces per pound" could be 16Oz/#.