Password Security Policy Checklist
Download Free Password Security Policy Checklist
- Policies must be in place to control addition, deletion, and modification of user IDs.
- Outline a process for verifying a user’s identity when resetting their password, especially if they’ve requested the reset over the phone, e-mail, or other non-face-to-face method.
- Require that first time passwords for new users are not the same.
- Access for terminated employees is removed promptly.
- There are no accounts on the systems that have been inactive for over 90 days.
- Vendor accounts used for remote maintenance must only be active when they are in use.
- All employees that have access to cardholder data must be educated on password policies.
- Group, shared, or generic passwords and accounts cannot be used.
- Passwords must be changed at least every 90 days.
- Passwords must be at least 7 characters long and use both alphabetic and numeric characters.
- Not allow users to reuse any of their pervious four passwords.
- Require that an account is locked after six or more failed login attempts, and remain locked out for 30 minutes or until the administrator unlocks the account.
- Require that sessions that are idle for 15 minutes require the user to re-enter their password.
- Authentication procedures must be in place for all access to databases containing cardholder data.
| Attachment | Size |
|---|---|
| password-security-policy-checklist.jpg | 68.65 KB |
| password-security-policy-checklist.pdf | 10.35 KB |
| password-security-policy-checklist.xls | 15.5 KB |