The purpose of this Password Policy is to establish strong and secure password practices that safeguard the information technology (IT) resources and protect against unauthorized access and data breaches. This policy aligns with the security controls specified in NIST Special Publication 800-53 - "Security and Privacy Controls for Federal Information Systems and Organizations."
This policy applies to all users, including employees, contractors, and third parties, who access the IT resources, including but not limited to computer systems, applications, networks, and databases. Compliance with this policy is mandatory to ensure a consistent and robust security posture across the organization.
3. Password Complexity and Length Rules
Minimum LengthPasswords must be at least X characters long.
Must include: uppercase letters, lowercase letters, numbers, and symbols.
Cannot reuse the last X passwords.
Passwords must be changed every X days.
Lockout Policy: Account is locked out after X failed login attempts.
Minimum Password change X days
Account lockout duration: X minutes
No Username - Password cannot contain the username or parts of the user's full name.
Prohibition of commonly used passwords and patterns (e.g., "password," "123456," "qwerty," etc.)
Prohibition of sequential or repetitive characters (e.g., "abcd," "1111," etc.)
These complexity requirements enhance the strength of passwords and reduce the risk of successful brute force attacks.
3.2. Password Expiration
Passwords must be changed to limit exposure in case of password compromise. Regular password changes encourage the use of new, strong passwords and decrease the likelihood of reused or weak passwords.
Users will receive advance notification of upcoming password expiration to prompt timely password updates and minimize the risk of being locked out due to an expired password.
4. Password Storage and Transmission
4.1. Password Storage
The employs strong encryption methods, using secure hashing algorithms, to store passwords. Passwords are hashed and salted before storage to protect against unauthorized access. Storing passwords in plaintext or any reversible format is strictly prohibited.
4.2. Password Transmission
Passwords must be transmitted securely over encrypted channels during login or authentication processes. SSL or TLS protocols are utilized to encrypt password data in transit, ensuring passwords remain protected from interception.
5. Multi-Factor Authentication (MFA)
5.1. MFA Requirement
Multi-Factor Authentication (MFA) is mandatory for all user accounts accessing our sensitive systems and data. MFA adds an additional layer of security by requiring users to provide two or more authentication factors (e.g., password and a unique token or biometric verification). This significantly reduces the risk of unauthorized access, even if passwords are compromised.
MFA strengthens the organization's security posture and mitigates the risk of unauthorized access resulting from password breaches or phishing attacks.
6. Account Lockout
6.1. Account Lockout Threshold
A maximum number of unsuccessful login attempts will trigger an account lockout. This mechanism protects against brute force attacks by limiting the number of attempts an attacker can make.
6.2. Account Lockout Duration
After an account lockout is triggered, the account will be temporarily locked out, preventing continuous brute force attempts. The lockout duration provides a temporary window during which users cannot attempt to log in, further reducing the risk of unauthorized access.
7. Password Management
7.1. Prohibited Actions
To maintain strong password security, users must not share passwords with others. Sharing passwords compromises the security of the account and is strictly prohibited.
Writing down passwords and leaving them in unsecured locations, such as sticky notes on desks, poses significant security risks. Users are encouraged to use secure password management tools to store passwords safely.
Using the same password for multiple accounts is strongly discouraged, as it amplifies the impact of a single password compromise across multiple systems.
7.2. Password Reset
We provide a secure password reset process for users who forget their passwords. The process includes additional identity verification steps to ensure the legitimate account owner is requesting the password reset. This helps prevent unauthorized individuals from gaining access to user accounts.
8. Monitoring and Audit
8.1. Password Audit
We conduct regular password audits to identify weak passwords, policy violations, and trends that may require policy updates. Password audits help identify patterns of non-compliance and provide insights into areas for improvement in the organization's password security measures.
8.2. Password-related Incident Monitoring
We actively monitor and investigate password-related security incidents, such as suspicious password reset requests and unauthorized access attempts. Prompt detection and response to such incidents are critical in preventing data breaches and protecting sensitive information.
9. Policy Review and Updates
We will review and update this Password Policy as necessary to reflect changes in technology, regulations, or organizational needs. Continuous assessment of the policy's effectiveness will be conducted to maintain robust security practices.
How Changed It: