Password Management

• Passwords should be at least 10 characters long;
• A password history is enforced. Meaning a user cannot use the last 24 passwords they have set in the past;
• Passwords should be comprised of a mix of letters, numbers, and special characters (punctuation marks and symbols);
• Passwords should be comprised of a mix of upper and lower case characters;
• Passwords should not be comprised of, or otherwise utilize, words that can be found in a dictionary;
• Passwords should not be comprised of an obvious keyboard sequence (i.e., qwerty);
• Passwords should not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.

• Users must not disclose their passwords to anyone
• Users must not share their passwords with others (co-workers, supervisors, family, etc.)
• Users must not write down their passwords and leave them unsecured
• Users must not check the "save password" box when authenticating to applications
• Users must not use the same password for different systems and/or accounts
• Users must not send passwords via email
• Users must not re-use passwords on more than one system/application

To maintain good security, passwords should be periodically changed. This limits the damage an attacker can do as well as helps frustrate brute force attempts. At a minimum, users must change passwords every 90 days. The organization may use software that enforces this policy by expiring users' passwords after this period. your organization uses an IdP solution for enforcing password change. Once a password has been changed it cannot be changed again for 15 days.

Passwords are made inactive or changed to a strong random one when the employee is leaving your organization.

Since the compromise of a single password can have a catastrophic impact on your organization's security, it is the user's responsibility to immediately report any suspicious activity involving his or her passwords to the Security Team. Any request for passwords over the phone or email, whether the request came from organization personnel or not, should be expediently reported. When a password is suspected to have been compromised, the Security Team will request that the user, or users, change all his or her passwords.

• Passwords must be stored and transmitted securely;
• Default system or application passwords must be changed for Production environments;
• Password can be stored in a Password Management solution;
• The password manager encrypts the password with a master password and an encryption key.

Application developers must ensure their programs contain the following security precautions:

• Applications must support authentication of individual users, not groups;
• Applications must not have hardcoded, backdoors, persisted password, or access;
• Applications must provide role management, such that one user can take over the functions of another without having to know the other's password;
• Applications must ensure access to Protected data only to entities that have the right access, the right password, and also have MFA enabled.