DoP Password Policy V.1.0
1. Purpose: The purpose of this policy is
to establish a standard for creation of strong passwords, the protection of
those passwords, and the frequency of change of the passwords.
2. Scope: The scope of this policy
includes all end-users of DoP email services and personnel who have or are
responsible for an account (or any form of access that supports or requires a
password) on any system/ service in the India Post domain. These include
personnel with their designated desktop systems/ laptops. The scope also
includes designers and developers of individual applications.
3. Policy:
3.1
Policy Statements:
3.1.1
For users having accounts for accessing
systems/ services:
3.1.1.1
Users shall be responsible for all activity performed with
their personal user Ids. Users shall not permit others to perform any activity
with their user Ids or perform any act ivity with Ids belonging to other users.
3.1.1.2
All user-level passwords (e.g. email, web, desktop computer
etc.) shall be changed periodically. Presently the email password expiry period
is configured as 90 days. Similar expiry limit will be imposed on other
applications in future. The IA of the respective application will suitably
notify to the users about expiry of the password well in advance. In such case
the users are required to change the password. Users shall not be able to reuse
previous passwords.
3.1.1.3
The password expiry period is subject to revision by the
competent authority.
3.1.1.4
For Password Change Control, both the old and new passwords
are required to be given whenever a password change is required.
3.1.1.5
Passwords shall not be stored in readable form in batch
files, automatic logon scripts, Internet browsers or related data communication
software, in computers without access control, or in any other location where
unauthorized persons might discover or use them.
3.1.1.6
All access codes including user ID passwords, network
passwords, PINs etc. shall be treated as sensitive and confidential information
and not be shared with anyone, including personal assistants or secretaries.
3.1.1.7
All PINs (Personal Identificat ion Numbers) shall be
constructed with the same rules that apply to fixed passwords.
3.1.1.8
Passwords must not be communicated through email messages or
other forms of electronic communication such as phone to anyone.
3.1.1.9
Passwords shall not be revealed on questionnaires or security
forms.
3.1.1.10 Passwords
of personal accounts should not be revealed to the controlling officer or any
co-worker even while on vacation unless permitted to do so by designated
authority.
3.1.1.11
The same password shall not be used for each of the systems /
applications to which an user has been granted access e.g. separate password to
be used for a Windows account and an UNIX account .
3.1.1.12
The "Remember Password" feature of browser/applications
shall not be used.
3.1.1.13
Users shall refuse all offers by software to place a cookies on
their computer such that they can automatically log on the next time when they
visit a particular Internet site.
3.1.1.14 First
time login to systems / services with administ rator createdpasswords, should
force changing of password by the user.
3.1.1.15
If the password is shared with support personnel for resolving problems
relating to any service, it shall be changed immediately after the support
session.
3.1.1.16
The password shall be changed immediately if the password is
suspected of being disclosed or known to have been disclosed to an unauthorized
party.
3.1.1.17
Users must not be able to reuse their last 5 passwords when
choosing a new password.
3.1.1.18
Users must be locked out for next 30 minutes after 5 successive
failed logon attempts due to incorrect user id/password.
3.1.1.19
Password should comply with the standards as specified in Para 3.2.
3.1.2
For designers/developers of applications /
sites:
3.1.2.1
No password shall be traveling in clear text; the hashed form
of the password should be used. To get around the possibility of replay of the
hashed password, it shall be used along with a randomization parameter.
3.1.2.2
The backend database shall store hash of the individual
passwords and never passwords in readable form.
3.1.2.3
Password should comply with the standards as specified in
Para 3.2.
3.1.2.4
Users shall be required to change their password periodically
and not be able to reuse last 05 passwords.
3.1.2.5
For Password Change Control, both the old and new passwords
are required to be given whenever a password change is required.
3.2
Policy for constructing a password: All user-level and system-level passwords
must conform to the following general guidelines described below:
3.2.1
The password shall contain more than eight
characters.
3.2.2
The password shall be a combination of
upper and lower case characters (e.g. a-z, A-Z), digits (e.g. 0-9) and
punctuation characters as well and other characters (e.g., !@# $%^ &* ()_+
| ~ -= \ ` { } [ ] :"; '< > ?,./ ).
3.2.3
The password shall not be a word found in a
dictionary (English or foreign).
3.2.4
The password shall never be the same as the
Login Id / User Name as well as not be a derivative of the user ID, e.g. <
username> 123. I t should also not contain the user's account name or parts
of the user's full name that exceed two consecutive characters.
3.2.5
The password shall not be a slang, dialect,
jargon etc.
3.2.6
The password shall not be a common usage
word such as names of family, pets, friends, co-workers, fantasy characters
etc.
3.2.7
The password shall not be based on computer
terms and names, commands, sites, companies, hardware and software.
3.2.8
The password shall not be based on
birthdays and other personal information such as addresses and phone numbers.
3.2.9
The password shall not be a word or number
pattern like aaabbb, qwerty, zyxwvuts, 123321 etc. or any of the above spelled
backwards.
3.2.10
The password shall not be any of the above preceded or
followed by a digit (e.g., secret1, 1secret ).
3.2.11
Passwords shall not be such that they combine a set of
characters that do not change with a set of characters that predictably change.
3.3
Suggestions for choosing passwords: Passwords may be chosen such that they are
difficult-to-guess yet easy-to-remember. Methods such as the following may be
employed:
3.3.1
String together several words to form a
pass-phrase as a password.
3.3.2
Transform a regular word according to a
specific method e.g. making every other letter a number reflecting its position
in the word.
3.3.3
Combine punctuation and/or numbers with a
regular word.
3.3.4
Create acronyms from words in a song, a
poem or any other known sequence of words.
3.3.5
Bump characters in a word a certain number
of letters up or down the alphabet .
3.3.6
Shift a word up, down, left or right one
row on the keyboard.
4 Responsibilities:
4.1 All
individual users having accounts for accessing systems/ services in the India
Post domain and system/network administrators of DoP servers/network
equipments shall ensure implementation of and compliance to this policy.
4.2 All
designers/developers responsible for site/application development shall ensure
the incorporation of this policy in the authentication modules, registration
modules, password change modules or any other similar modules in their
applications.
5 Compliance:
5.1 Personnel
authorized as Internal Audit shall periodically review the adequacy of such
controls and their compliance.
5.2 Personnel
authorized as Application Audit shall check respective applications for
password complexity and password policy incorporation.
No comments:
Post a Comment