+ORP.4.A23 Regulating Password-Processing Applications and IT Systems [IT Operation Department] (B)

1. Übersicht

ORP.4.A23 Regulating Password-Processing Applications and IT Systems [IT Operation Department] (B)

IT systems or applications SHOULD ONLY prompt users to change their password with a valid reason. Changes based on the passage of time alone SHOULD be avoided. Safeguards MUST be taken to detect compromised passwords. If this is not possible, consideration SHOULD be given to whether passwords can be changed at certain intervals in spite of the related disadvantages.
Default passwords MUST be replaced by sufficiently strong passwords, and pre-defined IDs MUST be changed. It SHOULD be ensured that IT systems fully check the possible password length. When a password is changed, the old password MUST NOT be used again. Passwords MUST be stored as securely as possible. In cases involving IDs for technical users, service accounts, interfaces, or similar elements, a password change SHOULD be carefully planned and, if necessary, coordinated with the persons in charge of the application in question.
When providing authentication in networked systems, passwords MUST NOT be transmitted unencrypted over insecure networks. When passwords are transmitted on an intranet, they SHOULD be encrypted. In case of unsuccessful login attempts, the system in question SHOULD not indicate that the password or user ID is wrong.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

ITGC -
Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022