Password management

27.08.2025
Alternate Text

janews/Shutterstock.com

The international standard ISO/IEC 27002 offers a host of practical advice on password management in IT systems. It emphasizes the importance of strong, unique passwords, secure distribution and regular password changes to protect user accounts.

ISO/IEC 27002 identifies three key areas for password management: password creation and distribution, user responsibilities and password management systems:

Password creation and distribution

  • Passwords should be complex, unique and not easily guessable.
  • Passwords must be transmitted securely to users.
  • User identity should be verified before providing password information.
  • Default passwords provided by vendors must be changed immediately.

User responsibilities

  • Users must keep passwords secret and not share them with others.
  • Passwords should be changed promptly if compromised.
  • Users should create complex passwords using a mix of characters.

Password management system

  • Users should be able to choose and change their passwords.
  • Multi-factor authentication is recommended.
  • Passwords should expire regularly, especially after security incidents or employee changes.
  • Previous passwords should be prevented from being reused.
  • Passwords should be stored and transmitted securely.

It is worth pointing out that the advice in international standards always strives to be realistic and practical. For instance, ISO/IEC 27002 warns against the dangers of password fatigue, noting that overly frequent password changes can be frustrating and may lead to weaker passwords.

Cyber security for operational technology (OT)

IEC 62443 is the world’s best-known standard for the cyber security of critical infrastructure and other industrial automation and control systems (IACS). This operational technology (OT) was once offline but is now connected to an array of monitors, sensors and other devices through the Industrial Internet of Things (IIoT).

IEC 62443-3-3 is where most of the advice on measures to ensure the integrity and security of passwords can be found. It includes guidelines for complexity, uniqueness, secure storage, and regular updates.  

The security levels described in IEC 62443 directly impact password management. Quite simply, the higher the security level, the more stringent the requirements for password management become.

Principle of least privilege

One of the most important pieces of advice, found in both the ISO/IEC 27000 family of standards and the IEC 62443 series, relates to the “principle of least privilege”. The idea is that users should only have access to the network and network services necessary to perform their jobs.

But even if your organisation's IT professionals have applied the principle of least privilege, you still have to choose the right password.

Source: IEC