DoP Password Policy V.1.0
1. Purpose: The purpose of
this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change of the passwords.
2. Scope: The scope of this
policy includes all end-users of DoP email services and personnel who have or
are responsible for an account (or any form of access that supports or requires
a password) on any system/ service in the India Post domain. These include
personnel with their designated desktop systems/ laptops. The scope also
includes designers and developers of individual applications.
3. Policy:
3.1 Policy Statements:
3.1.1 For users having accounts for accessing
systems/ services:
3.1.1.1 Users shall be responsible for all activity
performed with their personal user Ids. Users shall not permit others to
perform any activity with their user Ids or perform any act ivity with Ids belonging
to other users.
3.1.1.2 All user-level passwords (e.g. email, web,
desktop computer etc.) shall be changed periodically. Presently the email
password expiry period is configured as 90 days. Similar expiry limit will be
imposed on other applications in future. The IA of the respective application will
suitably notify to the users about expiry of the password well in advance. In
such case the users are required to change the password. Users shall not be
able to reuse previous passwords.
3.1.1.3 The password expiry period is subject to
revision by the competent authority.
3.1.1.4 For Password Change Control, both the old and
new passwords are required to be given whenever a password change is required.
3.1.1.5 Passwords shall not be stored in readable
form in batch files, automatic logon scripts, Internet browsers or related data
communication software, in computers without access control, or in any other
location where unauthorized persons might discover or use them.
3.1.1.6 All access codes including user ID passwords,
network passwords, PINs etc. shall be treated as sensitive and confidential
information and not be shared with anyone, including personal assistants or secretaries.
3.1.1.7 All PINs (Personal Identificat ion Numbers)
shall be constructed with the same rules that apply to fixed passwords.
3.1.1.8 Passwords must not be communicated through
email messages or other forms of electronic communication such as phone to
anyone.
3.1.1.9 Passwords shall not be revealed on
questionnaires or security forms.
3.1.1.10 Passwords of
personal accounts should not be revealed to the controlling officer or any
co-worker even while on vacation unless permitted to do so by designated
authority.
3.1.1.11 The same password shall not be used for each
of the systems / applications to which an user has been granted access e.g.
separate password to be used for a Windows account and an UNIX account .
3.1.1.12 The "Remember Password" feature of
browser/applications shall not be used.
3.1.1.13 Users shall refuse all offers by software to
place a cookies on their computer such that they can automatically log on the
next time when they visit a particular Internet site.
3.1.1.14 First time login
to systems / services with administ rator createdpasswords, should force
changing of password by the user.
3.1.1.15 If the password is shared with support
personnel for resolving problems relating to any service, it shall be changed
immediately after the support session.
3.1.1.16 The password shall be changed immediately if
the password is suspected of being disclosed or known to have been disclosed to
an unauthorized party.
3.1.1.17 Users must not be able to reuse their last 5
passwords when choosing a new password.
3.1.1.18 Users must be locked out for next 30 minutes
after 5 successive failed logon attempts due to incorrect user id/password.
3.1.1.19 Password should comply with the standards as
specified in Para 3.2.
3.1.2 For designers/developers of applications /
sites:
3.1.2.1 No password shall be traveling in clear text;
the hashed form of the password should be used. To get around the possibility
of replay of the hashed password, it shall be used along with a randomization parameter.
3.1.2.2 The backend database shall store hash of the
individual passwords and never passwords in readable form.
3.1.2.3 Password should comply with the standards as
specified in Para 3.2.
3.1.2.4 Users shall be required to change their
password periodically and not be able to reuse last 05 passwords.
3.1.2.5 For Password Change Control, both the old and
new passwords are required to be given whenever a password change is required.
3.2 Policy for constructing
a password: All user-level and system-level passwords must conform to the
following general guidelines described below:
3.2.1 The password shall contain more than eight
characters.
3.2.2 The password shall be a combination of upper
and lower case characters (e.g. a-z, A-Z), digits (e.g. 0-9) and punctuation characters
as well and other characters (e.g., !@# $%^ &* ()_+ | ~ -= \ ` { } [ ]
:"; '< > ?,./ ).
3.2.3 The password shall not be a word found in a
dictionary (English or foreign).
3.2.4 The password shall never be the same as the
Login Id / User Name as well as not be a derivative of the user ID, e.g. <
username> 123. I t should also not contain the user's account name or parts
of the user's full name that exceed two consecutive characters.
3.2.5 The password shall not be a slang, dialect,
jargon etc.
3.2.6 The password shall not be a common usage word
such as names of family, pets, friends, co-workers, fantasy characters etc.
3.2.7 The password shall not be based on computer
terms and names, commands, sites, companies, hardware and software.
3.2.8 The password shall not be based on birthdays
and other personal information such as addresses and phone numbers.
3.2.9 The password shall not be a word or number
pattern like aaabbb, qwerty, zyxwvuts, 123321 etc. or any of the above spelled
backwards.
3.2.10 The password shall not be any of the above
preceded or followed by a digit (e.g., secret1, 1secret ).
3.2.11 Passwords shall not be such that they combine
a set of characters that do not change with a set of characters that
predictably change.
3.3 Suggestions for
choosing passwords: Passwords may be chosen such that they are difficult-to-guess yet
easy-to-remember. Methods such as the following may be employed:
3.3.1 String together several words to form a
pass-phrase as a password.
3.3.2 Transform a regular word according to a
specific method e.g. making every other letter a number reflecting its position
in the word.
3.3.3 Combine punctuation and/or numbers with a
regular word.
3.3.4 Create acronyms from words in a song, a poem
or any other known sequence of words.
3.3.5 Bump characters in a word a certain number of
letters up or down the alphabet .
3.3.6 Shift a word up, down, left or right one row
on the keyboard.
4
Responsibilities:
4.1 All individual
users having accounts for accessing systems/ services in the India Post domain
and system/network administrators of DoP
servers/network equipments shall ensure implementation of and compliance to
this policy.
4.2 All
designers/developers responsible for site/application development shall ensure the
incorporation of this policy in the authentication modules, registration
modules, password change modules or any other similar modules in their
applications.
5 Compliance:
5.1 Personnel
authorized as Internal Audit shall periodically review the adequacy of such controls
and their compliance.
5.2 Personnel
authorized as Application Audit shall check respective applications for password
complexity and password policy incorporat ion.
No comments:
Post a Comment