パスワードポリシー

提供：MDWiki

移動：案内, 検索

The password does not contain all or part of the account name of the user. Part of an account name is defined as three or more consecutive alphanumeric characters delimited on both ends by white space such as space, tab, and return, or any of the following characters: comma (,), period (.), hyphen (-), underscore (_), or number sign (#).

The password is at least eight characters long.
The password contains characters from three of the following four categories:
- Latin uppercase letters (A through Z)
- Latin lowercase letters (a through z)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

Passwords can be up to 128 characters long. You should use passwords that are as long and complex as possible.

When composing a password, it must adhere to the following standards:

Passwords must be a minimum of eight (8) characters.
Passwords must be complex and difficult to guess. (strong passwords must be used)
Password must not be reused. (verified against a password history file that is set to the maximum size that the system supports)
Password must be changed every ninety (90) days. (maximum lifetime)

When using a user account, the following standards must be enforced:

User accounts must be locked out for a period of time after a maximum of five (5) unsuccessful attempts to gain access to a user account.
If any part of the logon process (User ID, Password, etc.) is incorrect, the user must not be given specific feedback indicating the source of the problem. Instead, the user must simply be informed that the entire logon process was incorrect.

Passwords issued by a password administrator must be pre-expired, forcing the user to choose another password before the logon process is completed.

Strong passwords have the following characteristics:

Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Are at least eight alphanumeric characters long.
Are not a word in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase.
For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

Create a strong password that:

contains both upper and lower case characters (e.g., a-z, A-Z)
has digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~=\`{}[]:";'<>?,./)
is at least eight alphanumeric characters.
is NOT a word in any language, slang, dialect, jargon, etc.
is NOT based on personal information, names of family, etc.

Hitachi ID Systems, Inc., "Password Policy Guidelines,"
http://hitachi-id.com/password-manager/docs/password-policy-guidelines.html.
SANS Institute, "Password Policy,"
http://www.sans.org/security-resources/policies/Password_Policy.pdf.
Microsoft Corporation, "Password Policy,"
http://msdn.microsoft.com/en-us/library/ms161959.aspx.
Connecticut Community Colleges (Issued on February 9, 2004 by Chancellor Herzog), "Password Policy,"
http://www.commnet.edu/it/policy/password-policy.asp.
The University of Southern Mississippi, "Password Policy,"
http://www.usm.edu/infosec/pw-policy.php.
City Of Frankfort Kentucky, "Password Policy,"
http://www.frankfort.ky.gov/password-policy.html.

目次