Sarbanes-Oxley & PCI: What is a 'complex' password?

Posted by Teresa Bockwoldt on October 29, 2013

I found an interesting article from intuit relating to IT General Computer Controls (ITGCC) and what is the definition of a minimum requirement for a password to be accepted as 'complex.' According to the article from Intuit:

Complex (strong) passwords are required by the PCI DSS (Payment Card Industry Data Security Standard) for all users with access to payment card numbers. Refer to section 8.5 of the PCI DSS for additional requirements related to user passwords.

Minimum requirements for a password to be accepted as complex:

  1. The password must contain:

    • At least 7 characters (letters, numbers, special characters)

    • At least 1 number

    • At least 1 uppercase letter

  2. Complex passwords must be changed every 90 days. 

Examples of complex passwords (reader, don't use these):

> Example3

> 4seCurity

> 55QuickBooks66

This was interesting because this information could also apply to the Sarbanes-Oxley COBIT control requirements over strong passwords.

Accounting Tip of the Day: One of the tests we perform on complex passwords is to verify that the user of an application has changed the standard password given out by the software manufacture. Often times, people will continue to use the assigned password since it meets the complexity requirements and it appears to be unique. Unfortunately, these standard passwords are available on the internet for most major general ledger systems so if someone wanted to get into your GL, that would be the first thing they'd typically try.

So, change your system passwords to something unique for you and require your company’s passwords to be 'complex' using the definition from Intuit above or something similar. This should help protect your company from unwanted intrusions. 

Tags: Sarbanes-Oxley Articles & Information, Accounting Tip of the Day, ITGCC, Sarbanes-Oxley, Internal Control Education, internal control tips