Password Management

Recommendations for a strong password 

A strong password is defined as a hard-to-decode password by a person or machine.

A strong password should:

  • Be at least 10 characters long.
  • Include a combination of upper and lower case letters (a-z, A-Z)
  • Include at least one digit (0-9)
  • Include at least one special character (@, &,%, $)

A strong password should not:

  • Be phrased as a phrase or word that can be found in the dictionary.
  • Be phrased as a word with a number at the beginning and end.
  • Be based on the user's personal information such as: ID, date of birth, last name, pet name, etc.

Recommendations for proper password management

Do not share your password with another person:

The password is personal and never should be shared with another person, manager, staff, a technician who came to repair the computer or some technical support center. If your password has been exposed to someone else, it should be replaced immediately.

Change password from time to time:

It is recommended that the password be changed once every 90 days. The frequency of the password change will depend on the extent to which the account is used. If the use is frequent, the password should be changed more frequently. This change will prevent anyone who has somehow obtained your password from continuing to have access to your account. If you think someone has access to your account, change your password immediately. After resetting the password, the case should be reported to the manager and/or the information security officer at the Technion.

Be sure to use a passphrase instead of a password:

A passphrase is a password that contains a sequence of words with numbers or special characters. The phrase can be taken from a song or proverb, it will usually be longer and it will be easy to remember.
For example, the phrase:

“My passw0rd is $uper str0ng!”

is a good example of a proverb containing a sequence of words, numbers and signs.

It is important to pay attention to the location of the digits and signs. In the example you can see that the position of the marks prevents a few words from being found in the dictionary. Using "space" can also help protect your password.

Avoid writing the password on a note, or storing it in an unsafe place:

As a rule, your password should not be written on paper. If necessary, be sure to store the note in a safe place and destroy it when you no longer need it. Using password management to store your password is not recommended unless the password manager leverages strong encryption and requires authentication before use.

Avoid password reuse:

After changing your password, be sure not to use it again. If the user's account, knowingly or unknowingly, has been exposed in the past, password reuse will cause it to be exposed again. Similarly, if a password has been shared in the past, reusing it allows a person who does not have permission to access your account.

Avoid using the same password for different accounts:

While using the same password for multiple accounts makes it easier for us to remember the password, it provides hackers with the ability to access multiple systems.

Avoid using the auto-login function:

Using the auto-login function negates much of the value of using a password. A person's physical access to your computer will allow them to login to your user account and access your personal information.

Administrator password management

Must use strong password:

An administrator can perform any operation on the system from entering new data, changing existing data, to deleting the data, and changing the system configuration. This is why a high-privileged account will be as protected as possible and accessible only to authorized users.

Require password change from time to time:

It is recommended that the user change their password once every 90 days. The longer the password does not change, the greater the chance of someone breaking it.

Require initial password change :

Requiring the user to change a password is necessary in order to ensure that only the user knows the password. This helps reduce the danger of discovering the initial password while transferring it to the user. This guideline also applies to situations where password resetting must be done manually.

Setting an initial password validity:

In some cases, a user creates an account but does not log in for a long time. As mentioned, an initial password has a great risk of being exposed, depending on the process used to pass the password. Setting a password to expire after a predetermined period (usually after 72 hours) helps reduce the risk. It can also be a sign that the account is not being used.

Do not use personal information for an initial password:

Personal information includes personal numbers, names, birth dates, etc. This type of information should not be used as part of  initial passwords.

Always verify user identity before resetting password:

User identity must be verified before password reset . Usually the user should be asked questions the answers to which are known to the user only. In some cases, the user must be physically present in order for his password to be obtained.  

Never ask for a password from a user :

Users are not allowed to transfer their password, so they should not be asked to provide the password.

In cases of computer repair or any malfunction, the user should be asked to enter the password or create a dedicated account for the needed repair.


Guidelines for persons responsible for system design and implementation

Change passwords for default accounts:

Default accounts are often the source of unauthorized access by malicious entities. Whenever possible, they should be completely eliminated. If the account cannot be cancelled, the default passwords should be changed as soon as the system is installed, configured or implemented.

Do not use the he same passwords for different manager accounts:

Using the same password for multiple user accounts can make managing them easier, but doing so can allow hackers to access multiple accounts by decryption of just one password.

Passwords should not be transmitted in plain text:

Passwords transmitted in plain text can be discovered by users with malicious intent.

Communication protocols such as HTTP, FTP and TELNET convey information, including identification details, through plain text. Anyone with access to the network may be exposed to this data and gain access to the system and/or information transmitted. Secure protocols should be used, that encrypt the information transmitted over the network or encrypt the entire medium using encryption technologies.

Do not store password in an unencrypted manner:

Passwords or any other sensitive information should not be stored or tranferred in an  unencrypted manner. Even in case where a hostile entity gained access to the data storage location, the encryption makes the information worthless for it, and thus prevents it from accessing other services and/or systems.

Implement automatic change or password reset alerts:

An email should be sent to the user for any reset or password change action to provide the user with confirmation that the action was successful, and to alert the user if the password to their account has been changed without their knowledge.