Password Policy
Overview
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of ’s entire corporate network. As such, all employees (including contractors and vendors with access to ’s systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
Scope
The scope of this policy includes all personnel
who have or are responsible for an account (or any form of access that supports
or requires a password) on any system that resides at any facility, has access
to the network, or stores any non-public information.
Policy
Password Heading - Passwords for IT resources shall be subject to the following rules:
• No Passwords shall be spoken, written, emailed, hinted at or in any way known to anyone other than the user involved. This includes supervisors, personal assistants and IT support staff.
• No Passwords shall be shared in order to “cover” for someone out of the office.
• Passwords shall not be name, address, date-of-birth, username, nickname, or any term that could easily be guessed by someone who is familiar with the user.
• Passwords shall not be displayed on user’s workplace.
Password Composition - All end user passwords shall comply to the below stated requirements:
• Should comprise of minimum 8 characters.
• Password shall contain characters from 3 of the following 4 categories.
o English upper case characters (A…Z) o English lower case characters (a….z) o Numerals (0…..9)
o Special characters (!, @, #, $, %, ^, and, *, (, ), -)
Password Change – Passwords are to be changed:
• After first login
• After a period not exceeding 45 days
If it is suspected/known that it has been compromised