Password management policy
March 30, 2020
Password-driven security may not be the perfect solution, but the alternatives haven’t gained much traction. This policy defines best practices that will make password protection as strong and manageable as possible.
From the policy:
Employee passwords are the first line of defense in securing the organization from inappropriate or malicious access to data and services. In many cases, compromised user accounts have been turned into stepping stones for administrator-level penetration by unauthorized individuals, resulting in catastrophic, well-publicized data breaches.
Regardless of whether accounts are used for testing, workstation setups, day-to-day use, or superuser/root privileges, establishing and maintaining a strong password management policy is the foundation of a secure organization.
This policy provides guidelines for the consistent and secure management of passwords for employees and system and service accounts. It includes mandates on how passwords should be generated, used, stored, and changed, as well as instructions for handling password compromises.
Blank or easily guessed passwords (such as “password”) are never permitted for any account, no matter how trivial. Passwords should not contain dictionary words such as “kitchen” or “automotive.”
Passwords must be complex, containing at least eight characters and a mixture of lowercase, uppercase, numbers, and punctuation characters. For instance, “B3llt0Wer!” should be used in place of “Belltower,” as it is considerably more secure.
Passwords should never contain security-sensitive information, such as an employee’s social security number or date of birth. They also should not include public information related to an employee’s personal life, such as the names of their children, hobbies, favorite sports team, etc.
Use different passwords on different systems. For example, a Windows account password should not be the same as a QuickBooks password. It is especially critical that external accounts (such as on third-party websites such as Salesforce.com) do not have the same passwords as internal accounts, to protect from data breaches against these external targets.
Passwords used on company systems should never correspond with employee personal account passwords (e.g., Windows account and Gmail account passwords must be separate).
Users must not write passwords down or send passwords through email/instant messaging services.
The IT department will not ask users for their passwords but will instead set temporary passwords for employees who can’t log into their accounts.
Employees should consider using a password management program like LastPass, KeePass, or Password Safe to store their passwords in a central encrypted database secured by a master password (which is subject to the same guidelines described here). If such a program is used, it should be configured to auto-lock when the system is idle and to clear any passwords in the clipboard when not in use.