- Policies should be in place prescribing password practices for the organization.
- All staff should understand and agree to abide by password policies.
- Each staff member should have a unique username and password.
- Passwords should not be revealed or shared with others.
- Passwords should not be written down or displayed on screen.
- Passwords should be hard to guess, but easy to remember.
- Passwords should be changed routinely.
- Passwords should not be re-used.
- Any default passwords that come with a product should be changed during product installation.
- Any devices or programs that allow optional password protection should have password protection turned on and in use.
Strong passwords should:
- Be at least 8 characters in length
- Include a combination of upper case and lower case letters, at least one number and at least one special character, such as a punctuation mark