Loading...
Skip to content
GSA PBS Portal
Portals

PBS User Responsibilities
When selecting a password, use the following GSA password guidelines to help ensure passwords selected are in compliance with GSA requirements.

GSA Policy Required Action
Benefit Gained

Passwords changed or expire in 90 days or less on the Intranet as well as the extranet.

Reduces likelihood of unauthorized penetration by limiting password life.

All passwords must be 8-15 characters and contain at least:
  • One lowercase letter, a-z
  • One capital letter, A-Z
  • One number, 0-9
  • One special character from this list (other special characters are not supported):
    • and (&)
    • period (.)
    • dash (-)
    • underscore (_)
    • exclamation (!)
    • at (@)
    • colon (:)
    • semi colon (;)

 

These requirements make it more difficult for a password guesser to obtain passwords.  They increase the set of combinations that must be guessed and provide a mixture to defeat a dictionary attack.

Passwords for mobile storage devices must be a minimum of 8 characters, but do not have to be a combination of letters, numbers, and special characters.

USB drives, Blackberry devices, personal digital assistants.

Authentication schemes in lieu of standard passwords may be employed as approved by the DAA (e.g. biometrics, tokens, smart cards, one time passwords).

Safer than passwords – it is either something the user is, something the user has or used once. Likelihood of writing it down or having to recall is obsolete.

Passwords must not be stored in forms (i.e. Windows dialog boxes, web forms, etc.)

Risk of having the password cut and paste from dialog boxes and web forms.  Reduces danger of the user ID and password being captured together.

Best Practices Required Action
Benefit Gained
Passwords
  • Contain a nonnumeric in the first and last position.
  • Contain no more than three identical consecutive characters in any position from the previous password

These requirements make it more difficult for a password guesser to obtain passwords.  They increase the set of combinations that must be guessed and provide a mixture to defeat a dictionary attack.

Passwords must not contain any dictionary word in any language. 

Prevents dictionary type of attacks.

Passwords must not contain any proper noun or the name of any person, pet, child, or fictional character.  Passwords must not contain any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password.

Helps prevent a password guess based on a hacker’s personal knowledge of the user.

Passwords must not contain any simple pattern of letters or numbers, such as “qwerty”, or “xyz123”.

These passwords are favorites a hacker might try early in a dictionary type of attack.

Passwords must not be any word, noun, or name spelled backwards or appended with a single digit or with a two-digit “year” string, such as 98xyz123.

The dictionaries used by hackers are huge, and the Crack 5.0 algorithms are clever and thorough.

ISSO and System Administrator Responsibilities
As an ISSO and/or System Administrator it is important that the following GSA password guidelines are used to ensure password policies and settings are in compliance with GSA requirements. Refer to GSA InSite, Technical Guides and Standards (IT resource hardening policies and/or guides) for specific IT platform controls.

GSA Policy Required Action
Benefit Gained
Do not store passwords in a clear text file. Avoids situation where convenience and speedy login are achieved at the expense of security.
Users may not re-use previously used passwords. Reduces likelihood of unauthorized penetrations by increasing password variability.
Allow only one user per account; never share user IDs or passwords. Provides user accountability.
Never install a guest/guest account. Prevents penetration via certain well-known vulnerabilities in some user datagram protocol (UPD) services.
Deactivate unused accounts monthly. Prevents a formerly authorized user from continuing to use the host.
No accounts will be named anonymous, ftp, telnet, www, host, user, bin, nobody, etc. Avoids accounts commonly attacked via the password guessing method: e.g., ftp/ftp.
Never set any password equal to the null string, which is equivalent to no password at all. Ensures assignment of a password to each valid user ID.
Best Practices Required Action
Benefit Gained
The manager or owner of the host shall revalidate all accounts at least annually. Best security practice is to clean out accounts of ex-employees and contractors, and to verify which accounts are valid.
Never assign a login account a password that is the same string as the user ID or that contains the user ID. Eliminates this possibility, which is the very first thing any hacker tries once he/she gets a telnet prompt.