Password Policy Template & Guidelines

In fact, Password policy is set of rules designed to enhance information security by educating users to employ strong passwords. Consequently, You can use password policy as part of your organization’s information security policy. Certainly, I am using this password policy and reference policies in my job role.

Password Policy

Subsequently, I created this password policy for my current organization and now, for the Internet community. Thus, you can use this policy in your internal documents freely. Now, You can ask to add something value to this policy while showing up yourself in comments.

1. Overview

Above all, passwords are a critical component of information security. Thus, passwords help the user to safeguard their information, system, device or data. Therefore, a poorly constructed password may result in the compromise of individual systems, data, company local or cloud infrastructure.

2. Purpose

The purpose of this policy is to create best password practices to protect individual, <Company Name>, clients and vendors systems. This policy further required setting up strong passwords, password history, password age, password length, password complexity and password encryption.

3. Scope

Firstly, this applies to employees, contractors, consultants, temporary and other workers,
including all authorized personnel using passwords for the organization. This policy applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail and local router logins.

4. Policy

You can use this policy to the entire lifecycle of passwords. However, there are few rules to follow.

4.1 General

  • Strong Passwords – Above All, You can use random password generator tools to create strong passwords. Minimum password length, with password complexity requirements is mandatory to create strong password.
  • Enforce Password History – Then, being an Administrator, you should enforce password history your network, cloud and applications. Password reuse limit need to be defined and password history management is mandatory in the system. User cannot store last 12 passwords.
  • Password Age – Most importantly, you need to create minimum and maximum password age for all your passwords. All password expires in 60 days.
  • Minimum Password Length – Equally important, you must use minimum password length in your system and applications. Minimum 14 character long password is mandatory.
  • Password Complexity – Of course, you can use random password generator tools to create password complexity. Password must include small and capital alphabet, number, special characters
  • Do Password Encryption – Store passwords using reversible encryption where this option is not default behavior of the system.

4.2 Password Security Standards

Indeed, we are using the following password security standards for this policy. Currently, we are using multiple password security standards to meet the industry requirements for systems, cloud and applications.

  1. NIST Special Publication 800-63B (NIST SP 800-63B)
  2. Payment Card Industry Data Security Standard (PCI DSS)
  3. ISO/IEC 27002 Information Security Standard
  4. CIS Password Policy Guide
  5. NERC Critical Infrastructure Protection (NERC-CIP)
  6. HIPAA Security Rule

4.3 Password Creation

  • Above all, Use a Passphrase not the password.
  • Secondly, You should create password according to Password construction guidelines.
  • Then, Users must use a separate, unique password for each of their work-related accounts.
    • Users may not use any work-related passwords for their own, personal accounts.
  • Thirdly, User should not use a word in any language, slang, dialect, jargon etc.
  • Further, Password are not based on personal information, like names of family etc.
    • Also, birthdays and other personal information such as address and phone numbers should avoided.
    • Additionally, Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Password must contains at least 14 characters.

4.4 Change Password

Meanwhile, User must change password because a password age needs to be defined and all passwords must be changed accordingly. A best password change practice recommends between 42 – 90 days.

  • Certainly, change known default vendor, application developer or testing team passwords.
  • Administrator should force users to change password on first login.

4.5 Password Protection

Most importantly, User must use different passwords for different accounts.

  • Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, Confidential <Company Name> information.
  • User should not write passwords into email messages, chats or other forms of electronic communication nor revealed over the phone to anyone.
  • Passwords may be stored only in “password managers” authorized by the organization.
  • Do not hint at the format of a password (e.g., “my family name”, “my country name” or “my pet name”).
  • Do not use the “Remember Password” feature of applications (for example, web browsers).
  • User must report the suspected compromise incident and change all passwords immediately.

4.6 Password Expiration

Even, password expiration is a dying concept but this need to be setup for legacy application & systems. Essentially, When an organization requires their workforce to change their passwords every 42, 60 or 90 days. However, you need to use password expiration with the followings.

  • Administrator should audit password never expire users and do the needful.
  • Simple password expiry policy will increase the system compromise risk as cyber-criminal may use an old password to guess the current password.
  • Of course, <Company Name> consider implementing this to meet compliance standard requirements.

4.7 Account Lockout

In order to limit attempts at guessing passwords or compromising accounts, an account lockout policy is/ must be configured.

  • Above all, account lockout duration is configured to add extra security for the system.
  • Account lockout helps on account theft prevention, Denial-of-Service (DoS) attack and Brute force password attacks.
  • Account lockout threshold is configured to meet the compliance requirement. The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked.

4.8 Multi-Factor Authentication (MFA)

Consequently, Multi-Factor Authentication (MFA) is one of the simplest, most effective ways to secure any authentication requirements.

  • Something you know, such as a password or passphrase. This method involves verification of information that a user provides, such as a password/passphrase, PIN code or the answer to secret questions (challenge-response).
  • Something you have, This method involves verification of a specific item a user has in their possession such as a mobile phone, a one-time pass (OTP) token, or a phone call for authenticity. For Mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP App or a cryptographic material (i.e., certificate or a key, like App Verification on Mobile) residing on the device.
  • Improve Security, the primary benefit of multi factor authentication is that it provides additional security by adding protection in layers.
  • One major benefit of multi factor authentication is being able to achieve the necessary compliance requirements specific to <Company Name> which in turn mitigate audit findings and avoiding potential fines.
  • Users should enable MFA themself or information security administrator should enable MFA on all supported platforms.

4.9 Password Deletion

Of course, All passwords that are no longer needed must be deleted or disabled immediately. An Administrator, should do the following for password and account deletion.

  • When a user retires, quits, is reassigned, released, dismissed, etc.
  • Furthermore, Administrator should change default passwords immediately on all equipment.

5. Individual Responsibilities

Individuals are responsible for keeping passwords secure and confidential.

6. Password Policy Compliance

Administrator should monitor password compliance and conduct security audit related to the last login times of users.

6.1 Compliance Measurement

The Information security team should verify compliance to this policy through automated or manual internal and external audits.

6.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

  • Administrator should monitor and audit failed login attempts.
  • Any exception to the policy must be approved by the Information security team in advance.

Password Policy References

  • I created own Password Security Standard for my information security policy.
  • However, If your organization is using passwordless authentication, please read the passwordless authentication policy.
Share

You may also like...