The PDF version 
Display Related Documents to this directive.
DOE G 205.3-1
PASSWORD GUIDE
U.S. DEPARTMENT OF ENERGY
Distribution: Initiated By:
All Departmental Elements Office of Security
and Emergency Operations
PASSWORD GUIDE
1. PURPOSE. This Department of Energy (DOE) Guide provides detailed guidance to
supplement DOE N 205.3, PASSWORD GENERATION, PROTECTION, AND USE.
2. SUMMARY. The security features and procedures detailed below are intended as
guidance. It is expected that only those security features or procedures appropriate for a
particular environment would be expected to be implemented. Deviations from the
guidance provided below and the rationale therefor, however, must be documented in an
organization's computer security program plan (CSPP).
3. REFERENCE. DOE N 205.3, PASSWORD GENERATION, PROTECTION, AND USE.
4. CONTACT. Questions concerning this Guide should be addressed to the Office of the
Chief Information Officer, 202-586-0166.
5. SECURITY FEATURES AND PROCEDURES.
a. Password Generation/Verification. If employed, password generation or verification
software should ensure that passwords are generated using those security features
listed below which would be appropriate for a given site.
(1) Passwords contain at least eight non-blank characters.
(2) Passwords contain a combination of letters (preferably a mixture of upper and
lowercase), numbers, and at least one special character within the first seven
positions.
(3) Passwords contain a nonnumeric in the first and last position.
(4) Passwords do not contain the user ID.
(5) Passwords do not contain any common English dictionary word, spelled forward
or backwards (except words of three or fewer characters); dictionaries for other
languages should also be used if justified by risk and cost benefit analysis as
documented in the CSPP.
(6) Passwords do not employ common names; that is, the password is checked
against a set of common names to validate that the password does not contain
any of the names, spelled forward or backwards (assuming that the name is over
three characters).
(7) Passwords do not contain any commonly used numbers (e.g., the employee
serial number, Social Security number, birth date, phone number) associated
with the user of the password.
(8) Passwords do not contain any simple pattern of letters or numbers, such as
"qwertyxx" or "xyz123xx."
b. User Selected Passwords. In those cases where the user selects his/her own password
(regardless of whether said password is verified by password verification software),
the user should ensure that the selected password is consistent with those security
features listed below that would be appropriate for a given site.
(1) Password contains at least eight non-blank characters, provided such passwords
are allowed by the operating system or application.
(2) Password contains a combination of letters (preferably a mixture of upper and
lowercase), numbers, and at least one special character within the first seven
positions, provided such passwords are allowed by the operating system or
application.
(3) Password contains a nonnumeric in the first and last position.
(4) Password does not contain the user ID.
(5) Password does not include the user's own or, to the best of his/her knowledge,
close friends or relatives names, employee serial number, Social Security
number, birth date, phone number, or any information about him/her that the
user believes could be readily learned or guessed.
(6) Password does not, to the best of the user's knowledge, include common words
that would be in an English dictionary, or from another language with which the
user has familiarity.
(7) Password does not, to the best of the user's knowledge, employ commonly used
proper names, including the name of any fictional character or place.
(8) Password does not contain any simple pattern of letters or numbers, such as
"qwertyxx" or "xyz123xx."
(9) Password employed by the user on his/her unclassified systems is different than
the passwords employed on his/her classified systems.
c. Password Protection. Individuals must not
(1) share passwords except in emergency circumstances or when there is an
overriding operational necessity, as described in the approved CSPP;
(2) leave clear-text passwords in a location accessible to others or secured in a
location whose protection is less than that required for protecting the
information that can be accessed using the password;
(3) enable applications to retain passwords for subsequent reuse consistent with the
organization's CSPP.
d. Password Changing. Passwords must be changed
(1) at least every 6 months;
(2) immediately after sharing;
(3) as soon as possible, but within 1 business day after a password has been
compromised, or after one suspects that a password has been compromised; and
(4) on direction from management.
e. Administration. If the capability exists in the information system, application, or
resource, the system must be configured to ensure the following.
(1) Three failed attempts to provide a legitimate password for an access request
result in an access lockout that will be automatically restored following a
predetermined time period decided by the system manager. Alternative
responses (e.g., by increasing the delay between attempts with each failure) to
three failures to provide legitimate passwords for an access request (e.g., by
increasing the delay between attempts with each failure) are also acceptable
assuming such alternate responses are documented in the approved CSPP.
(2) When a password specification does not comply with those requirements of 5a
and 5b that are implemented, and if the failure to comply is verifiable by
automated means, then the password specification is rejected.
(3) After 6 months of use, individuals are notified that their passwords have expired
and must be changed within five access requests or lockout will occur.
� (4) Any password file or database employed by the information system is protected
from access by unauthorized individuals as technically feasible.
BY ORDER OF THE SECRETARY OF ENERGY:
DAVID M. KLAUS
DIRECTOR OF MANAGEMENT
AND ADMINISTRATION