Site Overlay

Password Policy

By Arif Akyüz

Password Policy

cropped 2
arifakyuz

What should a strong password policy look like?

1. The password length for end users must be at least 10 characters.
2. The password length for admin accounts must be at least 14 characters.
3. The password length for the System and Service accounts must be at least 20 characters.

4. Password characters must consist of at least one number,
one uppercase and one lowercase letter.
• It must contain at least three of the following characters;
• Uppercase letters, (eg. ABCDEFG…)
• Lowercase letters, (e.g., abcdefg…)
• Number, (e.g. 1234567890)
• Punctuation (e.g. !?.,, etc.)
• Special characters (e.g. @#$%^&*()_+|~-='{}[]:";'<>/, etc.)

5. It should not contain personal information • Names
of family members, Company name, dates of birth, telephone number or address information • Strings of
words or numbers should
not be used. (e.g. aaabbb, qwerty, zyxwvuts, 12345678,123321,
etc.)

6. All system-level passwords (example: root, administrator, enable, etc.) must be changed no later than once every 90 days.
• All user-level passwords (e.g., email, web, desktop, applications, etc.) must be changed no later than once every 90 days.
• System administrators should use different passwords for each system.
• Passwords should not be attached to e-mail messages or any electronic forms.
• Passwords should not be stored by writing them down anywhere.
• Passwords must contain strong characteristics (e.g., password length, character variation, non-dictionary expressions,
etc.).
• The passwords of user accounts opened for external persons who are not employees of the institution should also have a strong structure that cannot be easily
cracked.

BC Password Creation Considerations
Passwords should be free from the "weak password" structure detailed below and should comply with the "strong password" structure.

Weak Passwords
Weak passwords have the following characteristics, and users should avoid
choosing passwords from such features.
● Passwords have 6 or fewer characters.
● Passwords have common value as follows.
● Not
composed of letters and numbers complexity ● Formed from words in the
word ● Computer terminology etc. names: commands, sites, companies, hardware, software, etc.
● Special names such as "Arif", "Istanbul", "ankara".
● Personal information such as date of birth, address and telephone numbers.
● Sequential letters or numbers such as aaabbb, qwerty,zyxwuts, 123321, etc.
● The way any word above is spelled back.
● Following any word above with numbers (example, hidden1, hidden2).

8. Strong passwords have the following characteristics, and users should follow these types of password rules: ● Have both lowercase and uppercase characters (e.g., a-z,
A-Z) ● Both numeric and punctuation characters have hidden special characters. (0-9, !@#$%^&*()_+|~- ='{}[]:";'<>?,./) c) Must not belong to vocabulary information such as dictionary names. d) Passwords should not be written down or kept electronically. When choosing complex passwords, passwords should be created that can be easily remembered without typing them anywhere. For example; "Our first quality goal is to ensure customer satisfaction!" can be in the form of "1Kh,MmS!" or its derivatives. e) The password policy, which must be used within the institution, is passwords that contain at least one uppercase letter, at least one lowercase letter and at least one number character consisting of a minimum of 8 characters.
Warning: Do not use any of the above examples as passwords.

9. Password Protection All users must strictly follow the following rules.
● Passwords used within the institution should not be used in any way outside the institution.
(e.g. internet access passwords, banking or other places).
● Different passwords should be used for different systems. Example: Different passwords for Unix systems,
different passwords for Windows systems.
● Passwords used within the institution should not be shared with anyone. All passwords should be considered private information belonging to the
institution.
● No person should share his/her password verbally or in writing phone.
● No password, including the senior manager, should be told to anyone.
● Passwords should not be talked about in front of others.
● The names of family members should not be used as passwords.
● No password should be specified on any form.
● Passwords should not be shared with family members.
● Passwords should not be said to co-workers when they are away from work.
● "Password reminder" features in applications should not be selected as passwords. (example: Outlook,
Internet Explorer, etc.)