Objective
This password policy establishes the required standards for creating, storing, and maintaining passwords within the organization to ensure the security of sensitive data, information systems, and user accounts. The policy aligns with industry best practices and regulatory compliance requirements to mitigate risks associated with unauthorized access.
Scope
This policy applies to all employees, contractors, vendors, and third parties who access the organization’s systems, platforms, or networks. Password standards outlined here are mandatory for all users interacting with organizational IT assets, including but not limited to desktops, laptops, mobile devices, applications, cloud platforms, and network equipment.
General Requirements
-
Password Complexity:
- Passwords must contain at least 12 characters.
- Passwords must include characters from at least three of the following categories:
- Uppercase letters (A–Z)
- Lowercase letters (a–z)
- Numbers (0–9)
- Special characters (e.g., !@#$%^&*)
- Passwords must not include dictionary words, proper nouns, usernames, or easily guessable patterns (e.g., "password123", "qwerty").
-
Unique Passwords:
- Passwords must be unique for each system or application. Reuse of passwords across organizational and non-organizational systems (e.g., personal email) is strictly prohibited.
-
Password Expiration:
- Passwords must be changed every 90 days.
- Users will be notified 14 days before password expiration.
-
Password History:
- The system must maintain a history of the last 12 passwords, preventing users from reusing old passwords.
-
Temporary Passwords:
- Temporary passwords must be randomly generated, meet the password complexity requirements, and expire within 24 hours.
Account Lockout and Authentication
-
Account Lockout Policy:
- Accounts will be locked after 5 consecutive failed login attempts.
- The lockout duration will be set to 30 minutes, after which accounts will unlock automatically. Alternatively, account unlocking can be initiated by a designated administrator after verification of identity.
-
Multi-Factor Authentication (MFA):
- All user accounts must be secured with MFA. Approved forms of MFA include hardware tokens, software-based authenticators (e.g., Google Authenticator), or SMS-based one-time passwords if stronger methods are unavailable.
- MFA is required for both internal and external access to the corporate platform.
-
Session Timeouts:
- Sessions will automatically terminate after 15 minutes of inactivity. Users will be required to re-authenticate upon returning.
Password Storage and Transmission
-
Password Hashing:
- Passwords must be hashed using a secure, industry-standard hashing algorithm (e.g., bcrypt, Argon2) with appropriate salting.
- Systems storing credentials must enforce security controls to prevent unauthorized access to hashes.
-
Password Transmission:
- Passwords must only be transmitted over encrypted channels (e.g., TLS 1.2 or higher). Plaintext transfer of passwords is strictly prohibited.
-
Password Reset Procedures:
- Users resetting their passwords must verify their identity through a secure process (e.g., MFA and email or phone verification).
- Password reset links issued via email must expire within 30 minutes of creation.
User Training and Awareness
-
Users will be trained periodically (e.g., semi-annually) on secure password practices and risks, including:
- The dangers of phishing attacks and social engineering.
- The importance of not sharing passwords with anyone.
- Identifying and reporting suspicious login attempts or unauthorized access.
-
Administrative personnel managing user accounts must receive specialized training in account provisioning and protection measures.
Compliance Requirements
This password policy complies with the following data protection regulations and security frameworks:
- General Data Protection Regulation (GDPR) (Articles 32 and 33)
- ISO/IEC 27001:2013
- NIST SP 800-63B (Digital Identity Guidelines)
- Health Insurance Portability and Accountability Act (HIPAA) (where applicable)
Regular audits will be conducted to verify compliance with this policy, and violations may result in disciplinary actions.
Exceptions
Exemptions to this policy must be requested in writing and approved by the Chief Information Security Officer (CISO). Exceptions may only be granted for legitimate business or operational need and must include compensating controls to mitigate associated risks.
Enforcement and Review
- This password policy is effective upon publication and will be reviewed annually or in response to significant changes in the organization’s security landscape.
- Non-compliance with this policy may result in disciplinary actions, including suspension of account access.
Approved by: [Name, Title]
Date of Last Review: [DD/MM/YYYY]
Next Scheduled Review Date: [DD/MM/YYYY]
This password policy ensures a robust defense for organizational assets while maintaining usability for end-users.
