password

A security method that identifies a specific, authorized user of a computer system, a network, or a resource by a unique string of characters.

In general, passwords should be a mixture of upper- and lowercase letters and numbers and should be more than six characters. Here are some general guidelines:

• Passwords should be kept secret and changed frequently. The worst passwords are the obvious ones: people's names or initials, place names, phone numbers, birth dates, and anything to do with computers or Star Trek. There are a limited number of words in the English language, and it is easy for a computer to try them all relatively quickly.
• Change all passwords every 90 days, and change those associated with high-security privileges every month. Some network operating systems require that passwords expire even more frequently. For example, in NetWare 5, passwords expire after 40 days by default.
• Some systems provide default passwords, such as MANAGER, SERVICE, or GUEST, as part of the installation process. These default passwords should be changed immediately.
• Limit concurrent sessions to one per system.
• Do not allow more than two or three invalid password attempts before disconnecting.
• Do not allow generic accounts.
• Promptly remove the accounts of transferred or terminated people, as well as all unused accounts.
• Review the security log files periodically.

See also authentication; Challenge-Handshake Authentication Protocol; Password Authentication Protocol.