14 Best Practices for Password Security

Here are 14 Best Practices for Password Security:

  1. Passwords must comply with organization security standards
    • Password Requirement (Strong): Upper case alpha, lower case alpha, numeric (0-9) non-alphabetic characters (~!#$%^&*) in positions 2-6
    • Use of Pass Phrases is best
  2. Passwords should be changed every 90 days
    • Cannot have been used within last 4 changes
  3. 5 unsuccessful attempts will lock the account
  4. System or browser should not be configured to remember (cache) passwords
  5. NEVER share passwords for any reason – All passwords are to be treated as sensitive.
  6. Never write down a password and leave for others to see
  7. Do not use the same password for different applications
  8. Do not use the same password for non-organization applications access
  9. Passwords should not be inserted into email messages, or other forms of electronic communication unless it is for new user account creation
  10. Passwords are not be revealed over the phone to anyone unless IT staff are performing a password reset for a validated user
  11. Passwords are not revealed on questionnaires or security forms
  12. Passwords should not be shared with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members
  13. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption
  14. User’s suspecting that his/her password may have been compromised and should immediate report the incident to the IT staff who will help the user change all passwords