Password Policy

Version: 1.00 Issue Date: 9/9/2019

1.0 Overview

All employees and personnel that have access to organizational computer systems
must adhere to the password policies defined below in order to protect the security of
the network, protect data integrity, and protect computer systems.

2.0 Purpose

This password policy is designed to protect the organizational resources on the network
by requiring strong passwords along with protection of these passwords, and
establishing a minimum time between changes to passwords. The purpose of this
password policy is to protect organizational resources by requiring the use of strong
passwords and establish measures to protect accounts and passwords by establishing
account lockout policies and password expiration and retention policies.

3.0 Scope

This password policy applies to any person who has access to organizational resources
whether they are permanent, temporary, or part time staff members and includes all
external persons who access organizational resources including consultants,
contractors, vendors, and any volunteers. This password policy applies to all types of
accounts including administrator accounts, email accounts, network accounts, and local
accounts. This policy is effective as of the issue date and does not expire unless
superceded by another policy.

4.0 Terms

 Multi-factor authentication - Authentication can use three types of items which

are:
o Something the user knows.
o Something the user has.
o Something the user is.

Multifactor authentication would use two or three of the above types of items.

 Public key cryptography - A form of cryptography which uses both a publically

available key and a key that is kept private. If data is encrypted with the public
key, only the private key can be used to encrypt it. If the data is encrypted with a
private key, the public key can be used to decrypt it.
 Password - Passwords are a method of identifying a user using something they
know. Passwords are normally 8 or more characters in length and to be secure
 may have minimum complexity rules requiring several types of characters to be
used in the password such as lower case letters, upper case letters, numbers,
and special characters.
 Pass phrase - A pass phrase is used in much the same way as a password to
identify users but is generally much longer and normally considered a more
authentication mechanism than passwords since more characters would be
harder to crack.
 Biometrics - Biometrics is a possible method of user authentication that uses
something that the user is to determine the user identity. This may include a
retinal scan, fingerprint, or facial features.

5.0 Password Use Rules

 Never send passwords through email or in other forms of electronic

communication without encryption.
 Never send your password through email or any electronic media since even an
encrypted password may be decrypted and compromised.
 Never write passwords down.
 Never include a password in a non-encrypted stored document.
 Never tell anyone your password.
 Never reveal your password over the telephone.
 Never hint at the format of your password.
 Never reveal or hint at your password on a form on the internet.

6.0 Password Protection

1. Never use the "Remember Password" feature of application programs such as

Internet Explorer, your email program, or any other program.
2. Never use your corporate or network password on an account over the internet
which does not have a secure login where the web browser address starts with
https:// rather than http://
3. Report any suspician of your password being broken to your IT computer security
office and/or help desk.
4. If anyone asks for your password, refer them to your IT computer security office.
5. Don't use common acronyms as part of your password.
6. Don't use common words or reverse spelling of words in part of your password.
7. Don't use names of people or places as part of your password.
8. Don't use part of your login name in your password.
9. Don't use parts of numbers easily remembered such as phone numbers, social
security numbers, or street addresses.
10. Don't use word or number patterns for parts of passwords like abcdefg, 123456,
zxcvbnm, 654321, or zzxxyyww.
11. Be careful about letting someone see you type your password.
12. User accounts and passwords must be unique to one person and more than one
person shall not be allowed to share a single account. No one with an
 organizational password may share their password or account information with
another person.
13. Do not use the same password for organizational accounts that you use for
external accounts such as external email accounts, passwords for ISP accounts,
and other internet web site accounts.
14. Be aware that passwords stored on handheld devices and computers
unencrypted are very vulnerable and are easily compromised. Even passwords
stored in a reversible encrypted format can be cracked.

The organization may periodically check user passwords to determine how strong they
are either using in house staff or external parties at its discretion. The user will be
required to change their password if the password is determined to be too weak.

7.0 Password Requirements (subject to change)

Those setting password requirements must remember that making the password rules
too difficult may actually decrease security if users decide the rules are impossible or
too difficult to meet. If passwords are changed too often, users may tend to write them
down or make their password a variant of an old password which an attacker with the
old password could guess. The following password requirements will be set by the IT
security department:

1. Minimum Length - 8 characters recommended

2. Maximum Length - 14 characters
3. Minimum complexity - No dictionary words included. Passwords should use three
of four of the following four types of characters:
1. Lowercase
2. Uppercase
3. Numbers
4. Special characters such as !@#$%^&*(){}[]
4. Passwords are case sensitive and the user name or login ID is not case
sensitive.
5. Password history - Require a number of unique passwords before an old
password may be reused. This number should be no less than 24.
6. Maximum password age - 60 days
7. Minimum password age - 2 days
8. Store passwords using reversible encryption - This should not be done without
special authorization by the IT department since it would reduce the security of
the user's password.
9. Account lockout threshold - 4 failed login attempts
10. Reset account lockout after - The time it takes between bad login attempts before
the count of bad login attempts is cleared. The recommended value as of the
date of writing this article is 20 minutes. This means if there are three bad
attempts in 20 minutes, the account would be locked.
11. Account lockout duration - Some experts recommend that the administrator reset
the account lockout so they are aware of possible break in attempts on the
 network. However this will cause a great deal of additional help desk calls.
Therefore depending on your security needs, the account lockout should be
between 30 minutes and 2 hours. If your security needs are high, you may want
to require a manual reset of the account.
12. Password protected screen savers should be enabled and should protect the
computer within 5 minutes of user inactivity. Computers should not be
unattended with the user logged on and no password protected screen saver
active. Users should be in the habit of not leaving their computers unlocked. they
can press the CTRL-ALT-DEL keys and select "Lock Computer".
13. Rules that apply to passwords apply to passphrases which are used for
public/private key authentication.

8.0 Choosing Passwords

Use password choosing tips as shown at ……… and be sure your passwords meet the
minimum guidelines.

9.0 Passwords and Applications

Applications should provide user role and acount security with the following features:

 Authenticate individual users rather than groups.

 Not store passwords in any reversible format.
 Provide for management of application access and functions using user role
management so users can be put into roles that allow them to perform required
functions without knowing other user's passwords.
 Support for using network authentication for authentication should be used where
possible. For example, using Active Directory as a single authentication source is
a more efficient resource when security requirements permit.

10.0 Enforcement

Since password security is critical to the security of the organization and everyone,
employees that do not adhere to this policy may be subject to disciplinary action up to
and including denial of access, legal penalties, and/or dismissal. Any employee aware
of any violation of this policy is required to report it to their supervisor or other
authorized representative.

11.0 Other Considerations

Administrator passwords must be protected very carefully. Administrator accounts

should have the minimum access to perform their function. Administrator accounts must
not be shared.

The organization should work toward stronger authentication techniques as

technologies and costs permit it including solutions such as pass phrases, multi-factor
authentication, stronger and more secure hashing and encryption techniques,
biometrics, and public key cryptography.

Approval

Approved by:__________________________ Signature:_____________________

Date:_______________