Password Policy
Many resources at our organization are protected by passwords. It is each staff member's responsibility to diligently protect the passwords they use to access these resources. Staff should recognize that failure to protect passwords can put the organization's security at serious risk.
Many of our systems enforce certain requirements for passwords when they are set by the user, however employees should not aim to satisfy the bare minimum that these systems require. Instead, passwords should:
- Never be so obvious that it could be guessed by anyone.
- Always be sufficiently distinct from any expired passwords previously used. For example you should not just put a new digit at the end of a password in order to satisfy the "unique password" rule.
- Always be kept private and never shared with others, not even with people you trust.
- Never be written down.
- Preferably consist of a sentence or long string of characters.
- The password should not be so complex that you are likely to forget it.
Note: the longer the password, the harder it is to crack or guess. The addition of symbols or digits does not generally improve the ability to thwart attacks.
Be aware of who is watching you when you have to enter in a password. If someone is at your desk and you need to enter in a password, ask that person to turn away while you use the keyboard. Look behind you and around you before you enter a password to ensure nobody is watching you.
Phishing
You should double check that you are entering your password into the intended application, and not an application or website that is "spoofing" or pretending to be that application. This is a common tactic in what are called "phishing attacks": you will be emailed a link to a website that will ask you to login. However in a phishing attack, it is not the actual website you are taken to, but instead a website that looks like the website you think you're visiting. When you enter your details into this phishing site, it will instead collect your username and password and pass that on to hackers who will gain unauthorized access to your account.
Two Factor Authentication
Some systems provide something called two-factor authentication. This requires a secondary device that receives a code when you login. The regular login will challenge you to enter that code, verifying that you have that device in your possession. This is used to verify that you are the user you claim to be. If any system allows for two-factor authentication, our organization recommends that you enable it.
Accidental Disclosure
Should you disclose your password, accidentally or otherwise, you must immediately take steps to protect your account. Change your password on the account. If you are unable to do this, contact your IT department and ask them to disable your account as soon as possible. Failure to report this incident in a timely manner may result in disciplinary action.
Secure Connection
For any website where you are entering in a password, ensure you are accessing the website on a secure connection. To do this, check the URL bar and look for the lock icon which will indicate that the connection is secure. This is critical because entering passwords on an insecure connection can result in the password being "sniffed" by someone on the same network who has sufficient know-how. If you use a secure connection then the likelihood of the password being sniffed is very small if not impossible.
Form Auto-Completion
Some browsers offer to save login ID and passwords in forms. This means that data will be auto-filled in the form the next time someone visits that page. We highly recommend that you disable this, or decline to save the details. When these forms are auto-completed, if someone were to gain physical access to your machine it makes it very easy for an unauthorized user to load the website on your machine and then access resources without having to enter in the password themselves.