1. Home
  2. Docs
  3. IST Austria IT Policies
  4. General IT Policies
  5. Password Policy

Password Policy

Scope

This password policy is valid for all passwords for computer systems at IST Austria, in particular for the IST account, the primary account for all IT services at IST Austria.

IT systems at IST Austria will only allow passwords which adhere to this policy.

Policy

  • Choose a password that would be very difficult to guess, avoid peoples names or anything similar to your user id. Visit our HackCheck to test your password and to get best practices & recommendations for a good password.
  • Use a (secure) password manager (e.g. KeePass) for your passwords.
  • In adherence to the InfoSec policy and the European Data Protection Regulation, passwords are restricted data and have to be stored encrypted.
  • Don’t share your password with anyone.
  • Do not communicate your password to anyone by any means (telephone, email, website, instant messaging etc.). IT will never ask you for your password.
  • Never use your IST Austria password for any other service / site.
  • Always check for “https” or the lock symbol before typing your password in a browser. If unsure, also check the name in the certificate.
  • Always use the “standard” user account on your computer instead of the admin account – use the admin account only when needed (e.g. installing of software).
  • Always log off or lock the computer, before leaving a computer unattended.
  • The password has to be changed if compromised or if there is the risk the password has been compromised.
  • If you think your account or password may have been hacked, inform the IST IT department and change your password immediately.
    it@ist.ac.at / tel: (+43 2243 9000) 1300

Password complexity rules

  • Passwords must not contain the user’s user name or screen name (eg. first name and last name)
  • Passwords have to be at least eight characters long (Suggested is a minimum of 12 characters)
  • Passwords must contain characters from at least three of the following four character sets:
    • Numbers: 0, 1, 2, …
    • Uppercase letters: A, B, C, …
    • Lowercase letters: a, b, c, …
    • Special characters:   &!@#%$^*-_+~,./?:=[]{}

Notes

  1. 1.
    Grassi PA, Garcia ME, Fenton JL. Digital Identity Guidelines: Revision 3. National Institute of Standards and Technology; 2017. doi:10.6028/nist.sp.800-63-3

Document

Effective Date: 2016-09-01
Next Review: 2021-02-15
Last Reviewed: 2020-02-15
Owner: IST Austria IT

Version
VersionDateDescriptionAuthor
1.0November 2016Initial Version, originally published on ISTWikiStephan Stadlbauer
1.1October 2017Initial version copied to IT page
removed chapter “Document action”
added Document header
changed citations and removed “Notes”
Stephan Stadlbauer
1.22020-02-12Reviews / Typos & rephrasing / TOC / added Hack-Check link / added InfoSec information /
removed redundant information / change special characters / removed need for regular change of password (See ​1​ )
Stephan Stadlbauer
Review
ReviewerRoleReview DateSignature
 Roland GanschDivision Head of SSUs  Waiting for Review
Patrick MeidlTeamlead Software Development2020-02-12OK, special characters need to be changed.
Christoph HaindlTeamlead IT Support2020-02-12OK
Was this article helpful to you? Yes 2 No 1

How can we help?