This policy describes the procedure to select and securely manage passwords at Social Workshop Ltd.
This policy applies to all staff and contractors who have or are responsible for an account (or any form of access that supports or requires a password) on any system belonging to, used by, or managed by, Social Workshop Ltd.
Access keys are also included within the scope of this policy, but the policy does not extend to public/private key pairs or API keys for interactions between autonomous systems.
Roles and Responsibilities
The Compliance Team will facilitate and maintain this policy and ensure all employees have reviewed and read the policy.
If a password is suspected of being compromised, the password in question should be rotated and the Compliance Manager should be notified immediately.
- Default system usernames and passwords are not to be used
- For example; root or administrator
- Named user accounts must be issued for each human user of a system
- User accounts must never be used by a team or group of users
- Complex passwords are required where possible. Complex passwords have at least 10 characters, 1+ uppercase letter(s), 1+ lowercase letter(s), 1+ non-alphanumeric character(s)
- Users should use randomly generated passwords from a password manager when creating passwords
- Whenever possible, passwords should be set to expire and require change no later than 90 days after being set
- All password must be unique
- Passwords must have at least 8 characters
- Do not reuse previously used passwords or their variants
- Do not use commonly used passwords
- Passwords must not be a dictionary word
- Passwords must not contain all or part of the user’s name or job function, or any term (like a birthday, a partner’s name or a street address) that could be easily guessed or researched
- Simple substitutions (such as 1 for i, 0 for O, 5 for s etc.) in recognisable words – i.e. words found in a dictionary – afford no real protection and must not be relied on.
- Where pins are used the pin should be a minimum of 6 characters
- MFA (multi-factor authentication) must be enabled for any and all systems that provide the option for Multi-Factor Authentication (MFA)
- All passwords are treated as confidential information and should not be shared with anyone. If you receive a request to share a password, deny the request and contact the system owner for assistance in provisioning an individual user account.
- If you are required to maintain your own secret authentication information, you will be provided initially with a unique, individual, and secure temporary secret authentication information in a secure manner, which you must acknowledge its receipt, and change on first use.
- Do not write down passwords, store them in emails, electronic notes, or mobile devices, or share them over the phone. If you must store passwords electronically, do so with a password manager that has been approved by Social Workshop Ltd.
- Social Workshop Ltd’s approved password managers are: Lastpass, 1Password, Dashlane.
- If you absolutely must share a password, do so through the approved password manager or grant access to an application through a single-sign-on (SSO) provider.
- If you suspect a password has been compromised, rotate the password immediately and notify the Compliance Manager/Officer for further instructions. Do not try to cover up the incident or ignore it. Information security is a vital factor in the continued success and survival of the Organisation and by ignoring a breach of these requirements it could put jobs at risk.
- Passwords stored in systems must be stored with a unique salt and as a one-way hash using an approved password hashing algorithm (pbkdf2, bcrypt, scrypt) and an HMAC-SHA256
- Where possible login attempts are to be limited to 3 before a timeout or account lock to prevent brute force attacks
- An employee or contractor found to have violated this policy may be subject to disciplinary action.
|Version||Date||Editor||Description of Changes|
|V1||August 15th, 2022||Social Workshop Ltd||Initial Creation|
|V1.1||August 30th, 2022||Social Workshop Ltd||Publication|