Oluwadamilola Bamigbose's Blog

Password Policy

Photo by Dan Nelson on Unsplash

Password Policy

This policy template can be adapted for your usecase.

Oluwadamilola Bamigbose's photo
Oluwadamilola Bamigbose
·

4 min read

1.0 Overview

Passwords are very vital to computer and information security. A password is a strong set of characters used to verify the identity of a user during the authentication process. It’s the first line of defense against intrusion or unauthorized access. With this in mind, all employees(full time, contract, or otherwise) with access to the company’s systems must take the necessary steps outlined below and adhere strictly to them to facilitate the security of their passwords and thereby securing the company’s assets and network from intruders.

2.0 Purpose

The purpose of this policy is to establish approved and accepted company standards for the selection or creation of passwords, its protection, and frequency of change per the present globally recommended security policies.

3.0 Scope

The scope of this policy includes all personnel and employees in all capacities with access to any of the company’s systems and network.

4.0 Policy

4.1 General

  • All system-level passwords(e.g root, application administration account, network administration, etc) must be changed quarterly and can’t be any of the previous 10 passwords used.

  • All production system-level passwords must be part of the Information Security administered global password management database.

  • All user-level passwords (e.g email, desktop computer, etc.) must be changed at least every six months and can’t be any of the previous seven passwords used.

  • User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password different from all other accounts held by that user.

  • Passwords must not be communicated through any form of electronic or written means

  • All persons must conform to the guidelines stated below

4.2 Guidelines

  • Password Construction

  • It must be a minimum of at least eight(8) characters

  • It mustn’t be the same as user-id

  • It must be changed periodically

  • It mustn’t be any of the previously used five(5) passwords

  • Do not use personal information or easy-to-guess information.

  • Use strong but easy-to-remember passwords.

  • In case of a threat suspicion, change the password immediately and report to the IT department.

  • Do not use the same password across multiple sites.

  • Do not use company passwords for personal use.

  • Do not use default or suggested passwords.

4.3 Password Protection

  • Do not share passwords with anyone else in the company, including co-workers, managers, administrative assistants, IT staff members, etc.

  • Do not share passwords with family members.

  • Do not share or reveal passwords through emails, text, or over the phone.

  • Do not share passwords with any outside persons, including those claiming to be representatives of a business partner with a legitimate need to access a system.

  • Actively avoid phishing scams and any other attempts by hackers to steal passwords and other sensitive information. All employees will receive training on how to recognize these attacks.

  • Refrain from writing passwords down and keeping them at workstations. See above for advice on creating memorable but secure passwords.

  • Do not use password managers or other tools like the “remember password” feature to help store and remember passwords without IT’s permission.

4.4 Password Deletion

  • All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following:

  • When a user retires, quits, is reassigned, released, dismissed, etc.

  • Default passwords shall be changed immediately on all equipment.

  • Contractor accounts, when no longer needed to perform their duties. When a password is no longer needed, the following procedures should be followed:

  1. Employees should notify their immediate supervisor.

  2. The contractor should inform their supervisor.

  3. The supervisor should fill out a password deletion form and send it to the IT department.

  4. IT personnel will then delete the user’s password and delete or suspend the user’s account.

  5. A second individual from that department will check to ensure that the password has been deleted and the user account was deleted or suspended.

  6. The password deletion form will be filed in a secure filing system.

4.5 Application Development

Programmers must ensure that their applications conform to the following:

  • Supports authentication of individual users, not groups.

  • Does not store passwords in clear text or any easily reversible form.

  • Provides for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

  • Supports TACACS+ , RADIUS, and/or X.509 with LDAP security retrieval wherever possible.

5.0 Enforcement and Penalties

All persons in one form of employment or the other with this company must adhere strictly to these guidelines. If someone demands a password, refer them to this document or have them call the IT department. If an account or password is suspected to have been compromised, report the incident immediately and change all passwords. Password cracking or guessing may be performed on a periodic or random basis by authorized personnel and if a password is guessed or cracked during one of these scans, the user will be required to change it.

Any employee found in violation of any of these guidelines is liable to disciplinary action up to and including suspension and termination of employment.

information securitypasswords