Password Policy Rules – Regulations for User Accounts in PG IT Systems (REG01)

We remind users to comply with the password policy in accordance with §4 of the Regulations for User Accounts in PG IT Systems (REG01):

Access to individual parts of the IT system is possible only by providing the correct identifier assigned to the user during the account activation process in the IT system and the password generated by the user.

Authentication also requires identity confirmation based on two-factor authentication.

User passwords for systems must comply with the following rules:

the password must consist of at least 8 characters;
the password must meet the complexity requirement, including at least one letter and two non-alphabetic characters;
when changing a password, each new password must be different from the previous ones;
passwords must be stored in a manner ensuring their confidentiality.

Sharing passwords with other persons is strictly prohibited.

The password must meet at least the following conditions:

it may not contain the user account name or parts of the user’s full name exceeding two consecutive characters;
it must contain at least 8 characters;
it must include characters from three of the following four categories:
i. uppercase English letters (A–Z),
ii. lowercase English letters (a–z),
iii. decimal digits (0–9),
iv. non-alphabetic characters (e.g., !, $, #, %).

It is prohibited to create passwords based on:

personal attributes and numbers (e.g., dates of birth, names, etc.);
keyboard sequences (e.g., qwerty, 12qwaszx);
the user identifier.

Creating passwords that are easy to guess is prohibited.

The system password is set independently by the user during account activation. In the case of account activation via the Helpdesk, login information is provided to the user, and the password is obtained via reset using an SMS sent to the phone number defined as the password recovery number.

In the event of suspected disclosure of a password to an unauthorized person, the password must be changed immediately by the user. The change may be enforced by the ASI.

Password changes are made by the user. If a user forgets their password, the appropriate ASI or an authorized administrative employee, after verifying the user’s identity, issues a password reset envelope, allows the user to enter a new password, or enables/recommends an SMS password reset.

It is prohibited to transmit passwords in plain text via telephone, fax, or email.

Recommended Methods for Creating Strong Passwords

The following examples are based on recommendations from CERT Polska regarding the creation of secure passwords.

We encourage you to review CERT Polska’s educational materials ➡️
https://cert.pl/uploads/2022/01/hasla/resources/plakaty_informacyjne_hasla_a4.pdf

To ensure that a password is both compliant with the security policy and easy to remember, we recommend using the following methods:

Full Sentence Method (Passphrase)

You can create a password in the form of a short, unique sentence (at least several words), and then add numbers and special characters to meet complexity requirements.

Example (compliant with complexity requirements):
ZielonyMostekDla3Kotow!

Well-known quotations, popular sayings, and obvious patterns should be avoided.

Description of an Imaginary Scene

An effective method is to create a password describing an unusual, easy-to-imagine scene. It should preferably contain an unrealistic or abstract element.

Example:
FioletowyParkingDla7Balonow$

Such passwords are more resistant to dictionary-based attacks.

Combining Words from Different Languages

A password can be built by combining words from different languages, adding numbers and a special character.

Example:
DwaBialeFlyingKroliki9#

Such constructions significantly hinder dictionary-based attacks.