Security and the Internet

2. Passwords

2.1 Use passwords to control access to your system and the information held on it.

• Every employee must have a unique user ID and password.
• Set up the network so that employees can only access authorised parts of the system.
• Consider installing tracking software. This produces a log showing which users have accessed which information. Get legal advice before taking such a step.

2.2 Establish password control procedures.

• Avoid obvious passwords (eg birthdays).
• Consider only allowing passwords issued by the network administrator. Passwords should be given to employees in person, rather than distributed by internal email.
• Make sure passwords are kept secure. Employees often save their passwords on the system, or keep copies by their PC.
• Ban employees from telling anyone else their password, and from using another employee's user ID and password.
• Do not allow users to log in to more than one PC at the same time.
• Ask employees to log off when they leave their computers for more than a set period of time. For example, an hour. Or install password-protected screensavers.
• Change passwords regularly. You may want to set them to expire every 30 days so that users are forced to change them.
• Change passwords when an employee leaves, or when a security breach is suspected. Delete the accounts of former employees.

2.3 Set up procedures and train employees to use built-in file protection features of individual software packages.

Typically, these use passwords to control which users have access to, and can modify, a particular file.