» IT Security Group «

Rules to the use of a password

If passwords are used for authentication in an IT system, the security of the entrance and the right of accesses of the system depends crucially on the fact that the password is used correctly.
(The following text is in parts an excerpt from an information of the federal office for security in the information technology.)

The following must be obeyed:

• The password must be changed yearly.

• The history of the last passwords is stored. The last 3 passwords are not permitted.

• The following fundamental rules have to be obeyed because otherwise the new password will not be accepted:
  • minimum 8 characters
  • minimum one special character 
  • no "dictionary" rhetoric, names, license plates, date of birth, etc.

• A proven procedure for the password production is to use the initial letters of a sentence, for example "Jackdaws love my big sphinx of quartz!" becomes "Jlmbsoq!".

• Passwords must not be stored on programmable function keys.

• The password must be kept secret and must only be known to the user personally. 

• The password should be recorded only, when it is then kept safely in a locked envelope. If it is noted beyond that, the password is to be kept at least as safely as a cheque card or a cash note.

• A password change is to be accomplished, if the password got known to unauthorized people.

• The entry of the password should take place unobserved.