F.No. S/12-Gen-02 / 2006 -07 AM (X)                                              Date :  22.08.2006







                        Sub.:  Security of Passwords by ICES Users –Reg.




            Attention of all Officers of this Custom House is invited to Directorate General of Systems & Data Management’s instructions vide F.No.  IV(26)/7/2006-Systems-737 dated 31.07.2006 regarding security of passwords by ICES users.


            Recently, an instance of drawback fraud has been noticed wherein substantial amount of drawback was fraudulently availed in an Air Cargo Complex.  The fraud took place on account of compromise of passwords of some ICES users.


            It is once again reiterated that protection of password by the users is the first line of defense in an electronic environment in so far as security of data is concerned.  In the data processing systems, the biggest threat to data comes from password compromise. All users of ICES system once assigned a user ID and password. are required to maintain the confidentiality of the password. 
They are also required a periodically change their password.  It is also the responsibility of the Systems Managers to ensure that on transfer of officers or a change in roles of the officers, a user id is deactivated or privileges modified in the system.


            In order to avoid password compromise, the following steps should be followed by all users of the system.



            Steps to avoid Password Compromise:-


1.                  The password is first allotted to user by the Systems Manager.  Change the password immediately after is has been allotted by the System Manager.


2.         Password construction rules:

                  (a)    The password should be of a minimum length of eight characters.

(b)    The password should be constructed to contain both alphabet characters and alphanumeric characters.  A simple way of doing this is by constructing sentences that the user will remember such as ‘Mohan visited the Custom House on 3rd March, 2000’.  This sentence can be condensed into the following pnemonic ‘MVTCH0332K’.  Similar pnemonics derived from other easy to remember sentences containing dates / numbers form good passwords.


(c)       It is preferable to use a certain minimum number of lower case



(d)      It is best to avoid repeating a single character several times in the 



(e)      The use of names in passwords should be strictly avoided.  This    

applies not only to user names but those of his/her family and friends.


(f)   Avoid use of the words in the dictionary as passwords.


3.         Change the password at regular intervals:  Passwords should not be kept for use beyond fifteen days at the most.  All users are advised to change their passwords at intervals of one week and in any case within fifteen days.


4.         Never repeat a password:  Password once used and changed should not be used again.  It is a safe practice that protects user from persons who try and guess passwords.


5.         Avoid writing the password on paper / on the monitor or anywhere where it can be found.  Most password compromises have their origin in passwords being written in a place where others can locate them.


6.         Passwords should not be typed in front of other people.  While typing the user should request the other person to turn away.  In case of doubt that someone may have seen the user’s password, the user should change the password forthwith.


7.         Users should never leave their seat before logging out:  All users must remember that if any other person is able to work on the user’s account he / she can inflict considerable damage in the name of the user.

8.         Do not disclose your password to anybody, not even to your superior or subordinate.  In exceptional circumstances when the password has to be shared, it should be changed immediately after the shared task has been completed.

9.         Do not ask the subordinates or outside persons (CHAs / CMC employees) to carry out operations on the system meant to be performed by the officer / staff himself.


All concerned are directed to follow the above instructions scrupulously, and disregard of these instructions may invite disciplinary actions.