Password management
Systems shall be configured to ensure that passwords meet the required criteria (such as length, complexity) for that particular system.
All new or reset passwords shall be changed immediately upon 1st log on.
Systems should be configured to force the change of passwords at regular intervals. These intervals should be of sufficient frequency to aid security, but not too frequent that this causes problems for users and administrators.
Systems shall be configured to ensure that passwords, if stored, are held in a secure format (encrypted, for example).
Systems shall be configured to ensure that previously used passwords cannot be reused.
Systems shall be configured to ensure that new passwords are not just a recycled password with the addition of a number of new characters or the changing of a number of characters.
Systems shall be configured to ensure that following the incorrect entering of a password a specified number of times, the account is locked and can only be opened/reset through a system administrator process. This specified number needs to be small enough in order to add a level of security to the system, but not too small that it causes a burden for user and administrator alike.
Users shall ensure that different passwords are allocated and used on different systems (separate passwords for email account and network logons).
Users shall ensure one password is not simply a derivative of another.