Password Policy

If a password is suspected of being compromised, the password in question should be rotated and the Compliance Manager should be notified immediately.

Password Requirements

• Default system usernames and passwords are not to be used
  • For example; root or administrator
• Named user accounts must be issued for each human user of a system
  • User accounts must never be used by a team or group of users
• Complex passwords are required where possible. Complex passwords have at least 10 characters, 1+ uppercase letter(s), 1+ lowercase letter(s), 1+ non-alphanumeric character(s)
• Users should use randomly generated passwords from a password manager when creating passwords
• Whenever possible, passwords should be set to expire and require change no later than 90 days after being set
• All passwords must be unique
• Passwords must have at least 8 characters
• Do not reuse previously used passwords or their variants
• Do not use commonly used passwords
• Passwords must not be a dictionary word
• Passwords must not contain all or part of the user’s name or job function, or any term (like a birthday, a partner’s name or a street address) that could be easily guessed or researched
• Simple substitutions (such as 1 for i, 0 for O, 5 for s etc.) in recognisable words – i.e. words found in a dictionary – afford no real protection and must not be relied on.
• Where pins are used the pin should be a minimum of 6 characters

MFA Requirements

• MFA (multi-factor authentication) must be enabled for any and all systems that provide the option for Multi-Factor Authentication (MFA)

Password Protection

• All passwords are treated as confidential information and should not be shared with anyone.  If you receive a request to share a password, deny the request and contact the system owner for assistance in provisioning an individual user account.
• If you are required to maintain your own secret authentication information, you will be provided initially with a unique, individual, and secure temporary secret authentication information in a secure manner, which you must acknowledge its receipt, and change on first use.
• Do not write down passwords, store them in emails, electronic notes, or mobile devices, or share them over the phone.  If you must store passwords electronically, do so with a password manager that has been approved by Social Workshop Ltd.
• Social Workshop Ltd’s approved password managers are: Lastpass, 1Password, Dashlane.
• If you absolutely must share a password, do so through the approved password manager or grant access to an application through a single-sign-on (SSO) provider.
• If you suspect a password has been compromised, rotate the password immediately and notify the Compliance Manager/Officer for further instructions.  Do not try to cover up the incident or ignore it.  Information security is a vital factor in the continued success and survival of the Organisation and by ignoring a breach of these requirements it could put jobs at risk.
• Where possible login attempts are to be limited to 3 before a timeout or account lock to prevent brute force attacks

Enforcement

• An employee or contractor found to have violated this policy may be subject to disciplinary action.