Handling User Accounts and Passwords

These are frontline security issues that have a direct effect on the way you handle your personal data, such as user accounts and passwords.

DO'S

Use a password with a mix of at least eight mixed-case alphabetic characters, numerals and special characters.

Use a password that is difficult to guess but easy for you to remember, so you do not have to write it down.

Use a password that you can type quickly, without having to look at the keyboard, thereby preventing passers-by seeing what you are typing.

Change your password regularly, for example every 90 days.

Change the default or initial password the first time you login.

Adopt a strong mechanism, such as two-factor authentication, for user accounts that handle sensitive data.

Use different passwords for different accounts, in particular those for handling private and sensitive data.

Change your password immediately if you believe that it has been compromised. Once done, notify the system/security administrator for follow up action.

Log off when finished using terminals or PCs in public areas, such as a library or cafe.

DON'TS

Don't use your own name as a login name in any form (as-is, reversed, capitalised, doubled, etc).

Don't use the name of your spouse or child in any form.

Don't use other information that might be easily obtained about you. This includes ID card numbers, license numbers, telephone numbers, birth dates, the name of the street you live on, and so on.

Don't use a password that contains all digits, or all the same letters.

Don't use consecutive letters or numbers like "abcdefgh" or "23456789".

Don't use adjacent keys on the keyboard like "qwertyui".

Don't use a word that can be found in an English or foreign language dictionary.

Don't use a word in reverse that can be found in an English or foreign language dictionary.

Don't use a well-known abbreviation e.g. HKSAR, HKMA, MTR.

Don't reuse recently used passwords.

Don't use the same password for everything. Have one password for non-critical activities and another for sensitive or critical activities.

Don't write down your password, particularly anywhere near your computer or file it in a box file with the word 'password' written on it.

Don't tell or give out your passwords to other people, even for a very good reason.

Don't display your password on the monitor.

Don't send your password unencrypted, especially via email.

Avoid using the "remember your password" feature associated with some websites, and disable this feature in your browser software.

Don't store your password on any media unless it is protected from unauthorised access (e.g. encrypted with an approved encryption method).

The following are some security practices that can assist system/security administrators in handling password selection criteria.

DO'S

Choose good passwords as initial passwords for accounts.

Use different passwords as initial passwords for different accounts.

Request users change the initial password immediately upon receiving the new password.

Change all system default passwords, including service accounts after installing a new system.

Ask users to change their passwords regularly, for example every 90 days.

Automatically suspend a user account after a pre-defined number of invalid logon attempts.

Restrict a suspended account to only allow reactivation by manual action controlled by the system/security administrator.

Prevent users from using passwords shorter than a pre-defined length, or re-using previously used or old passwords.

DON'TS administrators

Don't send unencrypted passwords to users especially via Internet email.

Don't disclose or reset passwords on behalf of unidentified users.

Don't allow public access to a password database, such as UNIX password files.