+ORP.4.A8 Provisions Governing the Use of Passwords [User, IT Operation Department] (B)

1. Übersicht

ORP.4.A8 Provisions Governing the Use of Passwords [User, IT Operation Department] (B)

Organisations MUST regulate the use of passwords in a binding manner (see also ORP.4.A22 Regulating Password Quality and ORP.4.A23 Regulating Password-Processing Applications and IT Systems). In doing so, they MUST consider whether passwords are to be used as the sole authentication method, or whether other authentication features or methods may be used in addition to or instead of passwords.
Passwords MUST NOT be used for multiple purposes. A separate password MUST be used for each IT system or application. Passwords that are easy to guess or are kept in common password lists MUST NOT be used. Passwords MUST be kept secret. They MUST ONLY be known by the respective users. When entering their passwords, users MUST ensure that no one else is watching. Passwords MUST NOT be stored on programmable function keys on keyboards or mice. Passwords MUST ONLY be written down in case of an emergency. They MUST then be stored securely. The use of a password manager SHOULD be considered. If password managers have features or plug-ins that synchronise passwords via third-party online services or otherwise transmit passwords to third parties, these features or plug-ins MUST be disabled. Passwords MUST be changed if it is suspected or discovered that they have become known to unauthorised persons.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

ITGC -
Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022