Password Creation - All non-admin user passwords must be at least [8] characters in length. Longer passwords and passphrases are strongly encouraged.
- All admin and system-level (i.e. local system, DB password, etc.) passwords must be at least [12] characters in length and must contain three of the four items: upper case, lower case, numbers, and special characters.
- Passwords must not contain easily guessable information, such as "password," "123456," your name, organization’s name, relative’s names, birth date, etc.
- Passwords must not be dictionary words or acronyms.
- Passwords must be completely unique, and not used for any other system, application, or personal accounts.
- Default passwords for system, network devices, and apps must be changed immediately after installation is complete in accordance with this password policy.
Password Management - Passwords – including admin and system-level passwords – must be changed every [180] days. User account owners will be notified when their password is due for renewal.
- Passwords cannot be reused for a period of no less than [12] months.
- User accounts with non-expiring passwords must be documented listing the requirements for those accounts. These accounts need to adhere to the same standards as admin and system-level accounts.
- Admin account passwords must not be shared among multiple administrators. Each administrator must have their own unique account.
- After 5 unsuccessful login attempts, the account will be locked. To unlock the account, the account owner must contact the helpdesk or wait 30 minutes before reuse.
- Account owners must enable 2FA for an additional layer of security. This is mandatory for all user accounts.
- Exceptions for password policy non-compliance must not be granted for the purpose of ease of use.
Password Protection - User account owners must not share their passwords with anyone, including colleagues, supervisors, IT personnel, etc. Each user is responsible for all activities conducted under their account.
- Passwords must not be written down or stored in plain text. Passwords must be stored using a password manager with encryption.
- Do not use the browsers or application’s auto-save feature for passwords on any devices.
- Passwords must not be inserted in e-mail messages or other forms of electronic communication, or revealed over the phone to anyone.
- Do not hint at your password format when applying password hints.
- Hard-coded passwords for service accounts running tasks must be encrypted – not stored in plain text – and must follow the same password change requirements as admin accounts.
- If a password is suspected to be compromised, users must change it immediately and report the suspicious event to the IT security team.
|