One of the key control objectives under ISO 27001 is a user’s responsibility to prevent unauthorised access to systems that could compromise information, enable the information to be stolen or cause the facility holding the information to be compromised.
One of the key safeguards is good security practice in the selection and use of passwords.
Information processing systems should encourage the use of good quality passwords by:
- Asking employees to sign an agreement to keep their passwords confidential and including this within their conditions of employment
- Providing users with an initial secure temporary password that they are forced to change on first use
- Verifying the user’s identity before providing, in a secure manner, a new password
- Enforcing a use of “good quality passwords” – see below
- Enforcing password changes (after a set period of time, for example)
- Preventing re-use of previously used passwords
Good quality passwords are:
- Easy to remember
- Not easily guessable (not based on your name, telephone number, date of birth)
- Not in the dictionary
- Do not have consecutive identical, all-numeric, or all-alphabetic characters (not “abc123″ or “123456″ or “abcdef”)
This advice for choosing a memorable password would be a good start.