IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
- After three unsuccessful attempts to enter the correct password, a lockout
should be imposed which can only be cancelled by the system
administrator.
- During authentication of networked systems, passwords should not be
transmitted in an unencrypted form.
- The password must be entered covertly, i.e. the input will not be displayed
on the monitor.
- Passwords should be stored in the system in a way preventing unauthorised
access, e.g. by means of one-way encryption.
- Password alteration must be initiated by the system on a regular basis.
- Re-use of previous passwords in the case of password alteration should be
prevented by the IT system (password history).
Additional controls:
- Have users been informed on how to handle passwords correctly?
- Is the password quality controlled?
- Are password changes mandatory?
- Has every user been provided with a password?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000