International Finance Corporation International Finance Corporation

Password Policy

Policy Rationale

This policy establishes principles for the use and management of passwords throughout the World Bank Group.

Scope and Constraints

This policy applies to all Information Users who require access to the Bank Group’s information and information resources from local or remote locations.

1. Passwords must consist of a minimum of eight (8) characters and must contain at least one (1) alphanumeric character.

2. Information Users must choose easily remembered passwords that are, at the same time, difficult for unauthorized parties to guess. The Bank Group recommends that users adhere to the following principles when creating passwords:
        2.1. Stringing several words together (the resulting passwords are also known as passphrases).
        2.2. Combining punctuation or numbers with a regular word.
        2.3. Creating acronyms from words in a song, a poem or another known sequence of words.
        2.4. Deliberately misspelling a word (but not a common misspelling).
        2.5. Combining a number of personal facts like birth dates and favorite colors.

3. Passwords for normal user accounts will expire after a maximum of one hundred and eighty (180) calendar days.

4. Sharing of user IDs and passwords is strictly forbidden, this information must be kept secure at all times.

5. Any unauthorized attempt to discover the password of another Information User or to access the Bank Group’s systems using someone else’s user ID or password is strictly prohibited.

6. Unauthorized access (i.e. security violations of passwords) must be reported to the Business Unit Manager and the Information Security Office.


7. The Information Security Office is responsible for developing and issuing appropriate password policies, procedures and good practices for access to the Bank Group’s systems.

8. The Information Solutions Group (ISG) provides information systems managers and personnel whose responsibilities include providing and managing user accounts and password systems, monitoring systems for unauthorized use, reporting information security violations and deleting expired accounts, upon request from Business Unit Managers.

9. Business Unit Managers are responsible for authorizing access to Bank Group systems, for requesting and canceling accounts for Information Users, and for ensuring that Bank Group and non-Bank Group Information Users understand and adhere to Bank Group policies, procedures and good practices for using accounts and passwords.

10. Information Users are responsible for adhering to policies and rules for accessing and using system accounts, and for creating and using passwords.

Relevant International or National Standards

ISO/IEC 17799:2000 Information Technology – Code of Practice for Information Security Management – Reference A.9.2.3 User Password Management and A.9.3.1 Password use.

BS 7799 -2: 2002 Specification for Information Security Management Systems