ABC Company PASSWORD POLICY Policy Area Approved Date Approved By Eective Date C"rrent #er$ion
IT Policy Library December 31, 20XX 20XX Policy Committee Committee !an"ary 1, 20XX 1%0
I. O VERVIEW Comp"ter Comp"ter acco"nt$ acco"nt$ are "$ed to &rant acce$$ to ABC Company'$ Company'$ Inormation Inormation (y$tem$% (y$tem$% T)e proce$$ o creatin&, controllin&, and monitorin& comp"ter acco"nt$ i$ e*tremely important to an overall $ec"rity pro&ram% %
II. P URPOSE Identiication and a"t)entication acce$$ control$ play an important role in )elpin& to protect Inormation (y$tem$% (y$tem$% T)e p"rpo$e o t)i$ policy i$ to to protect Inormation (y$tem$ (y$tem$ by deinin& re+"irement$ or ne pa$$ord$ and c)an&e$ to pa$$ord
%$III. S COPE T)i$ policy applie$ to all ABC Company (ta t)at "tili-e Inormation (y$tem$ it) ID$ and pa$$ord$ .credential$/% T)i$ policy applie$ )et)er )et)er (ta i$ "$in& ABC Company Inormation Inormation (y$tem$, (ta oned device$ or Company approved or, or (ta "$e Inormation (y$tem$ o t)ird party $ervice provider$ or or related activitie
%$IV. POLICY T)e C)ie (ec"rity icer .C(/ $)all en$"re Policie$ and proced"re$ mana&e t)e proce$$ o creatin&, c)an&in&, and $ae&"ardin& pa$$ord$p)ra$e$ Policie$ and proced"re$ prevent $ta rom $)arin& pa$$ord$p)ra$e$ it) ot)er$% Proced"re$ advi$e $ta to commit t)eir pa$$ord$p)ra$e$ to memory and not allo t)em to be ritten don% Policie$ and proced"re$ &overn t)e pa$$ordp)ra$e c)an&e re+"ency% re+"ency% Policie$ and proced"re$ dictate )en pa$$ord$p)ra$e$ m"$t be $"pplemented it) additional acce$$ control$ $"c) a$ toen$ and biometric%
T)i$ Policy applie$ to all ABC Company related a"t)entication activitie$ incl"din&, b"t not limited to, t)e olloin& Admini$trator acco"nt$% 4$er acco"nt$% 5etor inra$tr"ct"re device$ .e%&% ireall$, ro"ter$, irele$$ acce$$ point$, etc%/% T)ird party $ervice provider$% 6eb application$%
Page 1 of 4
ABC Company
(creen $aver$% 7obile device
%$A. N EW U SER A CCOUNTS 6)en &rantin& acce$$ or a ne "$eracco"nt (y$tem admini$trator$ ill e$tabli$) a "ni+"e ID and "ni+"e pa$$ordp)ra$e% T)e "$er pa$$ord ill be conveyed to t)e "$er in a $ec"re manner% 6)en t)e "$er lo&$ on or t)e ir$t time, t)e "$er ill be re+"ired to c)an&e t)eir initial pa$$ordp)ra$e to $omet)in& t)at meet$ t)e re+"irement$ o t)i$ policy%
B. SELECTING P ASSWORDS /P HRASES P)ra$e$ are not t)e $ame a$ pa$$ord$% A p)ra$e i$ a lon&er ver$ion o a pa$$ord and i$ typically compo$ed o m"ltiple ord$% T)e p)ra$e 86e9re o to $ee t)e i-ard, T)e 6onder"l 6i-ard o -: can be converted to 6ot$tT66o% By convertin& $ome letter$ to n"mber$ and $pecial c)aracter$ t)e p)ra$e i$ even more $ec"re%
6)en $electin& a ne pa$$ordp)a$e, $y$tem admini$trator$ and "$er$ m"$t $elect pa$$ord$p)ra$e$ t)at are lon&, $tron&, and comple*% 6)ere po$$ible, (ta $)all c)oo$e pa$$ord$p)ra$e$ t)at meet t)e olloin& re+"irement$ Contain bot) "pper and loer ca$e c)aracter$ .e%&%, a;-, A;% Incl"de bot) n"mber$ .0;=/ and $pecial c)aracter$ .e%&% >, ?, @, /% ave a minim"m o at lea$t 10 c)aracter$ and preerably 1 c)aracter$ lon& and i$ a p)ra$e% 6)ere po$$ible, "$e dierent pa$$ord$p)ra$e$ or &eneral oice activitie$ .e%&% e;mail, ile acce$$/ v$% $y$tem$ t)at $tore $en$itive or conidential data%
(ta $)o"ld not c)oo$e pa$$ord$p)ra$e$ t)at Incl"de common ord$ $"c) a$ t)o$e o"nd in a dictionary% Are t)e $ame a$ pa$$ord$p)ra$e$ "$ed on (ta per$onal acco"nt$ .e%&% per$onal e; mail, on;line banin&, or $ocial media/% Contain per$onal inormation $"c) a$ a $po"$e or pet'$ name, $ocial $ec"rity n"mber, driver9$ licen$e n"mber, $treet addre$$, p)one n"mber, etc% Contain $e+"ence$ or repeated c)aracter$% or e*ample, 123, 3333, etc%
(ta it) $pecial $y$tem privile&e$, a$$i&ned by a tran$action, pro&ram, proce$$, or &ro"p member$)ip, $)o"ld $elect a "ni+"e pa$$ordp)ra$e rom ot)er acco"nt$ )eld by t)at individ"al% C. P ASSWORD /P HRASE G UIDELINES (ta $)all olloin& $ec"rity &"ideline$ to en$"re pa$$ord$p)ra$e$ are not compromi$ed% (ec"rity trainin& and aarene$$ pro&ram$ $)all en$"re (ta i$ Ed"cated on $ec"rity related ri$$% Feminded o $ec"rity re+"irement$ )en $electin& and protectin& pa$$ord$p)ra$e$% Ed"cated not to $elect t)e GFemember 7eG or 8Femember Pa$$ord: eat"re in eb application$ and bro$er$% Feminded to be care"l )en "$in& $ocial media $o t)e pa$$ordp)ra$e i$ not compromi$ed%
Page 2 of 4
ABC Company Pa$$ord$p)ra$e$ m"$t not be Fevealed to anyone% (tored, ritten don, or tran$mitted in clear ."nencrypted/ te*t% In$erted into "nencrypted e;mail me$$a&e$ or ot)er orm$ o electronic comm"nication$%
I a (ta member believe$ t)at t)eir pa$$ordp)ra$e )a$ been compromi$ed or made available to ot)er$, t)e (ta member m"$t immediately c)an&e t)eir pa$$ord and notiy IT $ec"rity (ta% I $omeone demand$ a pa$$ord, reer t)em to t)i$ policy or )ave t)em contact t)e IT Department% D. P ASSWORD/P HRASE C HANGES Pa$$ord$p)ra$e$ m"$t be c)an&ed on a re&"lar ba$i$ accordin& to t)e olloin& $c)ed"le All admini$trator pa$$ord$p)ra$e$ m"$t be c)an&ed at lea$t every 30 day$% All "$er pa$$ord$p)ra$e$ m"$t be c)an&ed at lea$t every =0 day$%
6)en $electin& a ne pa$$ordp)ra$e, (ta $)all not repeat any o t)eir prior ive pa$$ord$p)ra$e$% E. S OFTWARE A PPLICATIONS Application developer$ m"$t en$"re pro&ram$ contain t)e olloin& $ec"rity preca"tion$
Application$ m"$t re+"ire eac) "$er to )ave t)eir on "ni+"e ID .e%&% not $)ared, no "$er &ro"p$/% Pa$$ord$p)ra$e$ and (en$itive Inormation m"$t be protected "$in& $tron& encryption% Pa$$ord$p)ra$e$ and (en$itive Inormation m"$t not be tran$mitted or $tored in clear te*t% En$"re application$ timeo"t and re+"ire t)e "$er to enter a pa$$ordp)ra$e ater a period o inactivity%
V. E NFORCEMENT Any (ta member o"nd to )ave violated t)i$ policy may be $"bHect to di$ciplinary action, "p to and incl"din& termination%
VI. DISTRIBUTION T)i$ policy i$ to be di$trib"ted to all (ta member$ it) acce$$ to ABC Company'$ Inormation Fe$o"rce$% Policy History
#er$ion 1%0
Date 1120XX
De$cription Initial policy relea$e
Approved By
Page 3 of 4
ABC Company
Page 4 of 4