Password policy
Introduction
Weak passwords can be easily compromised using off-the-shelf software or public data breaches. The same credentials used across multiple sites or systems are especially vulnerable.
Objective
To ensure the confidentiality and use of strong and unique passwords.
Scope
This policy applies to all staff and users of the company’s network and information systems. Staff are encouraged to apply these principles for both business and personal use.
Policy
- A password management system should be used where possible
- Passwords must be strong and unique (minimum 8 characters)
- Administrator passwords should be minimum 12 characters
- Passphrases combining random words are recommended (eg Red-Fish-Book)
- Passwords are confidential and must not be disclosed
- Passwords should be stored securely if necessary
- The same password should not be used across websites, systems and services
- Passwords should be changed promptly if there is evidence of compromise
- Default system passwords should be changed at installation
- Temporary passwords should be changed at first use
- Shared administration passwords should be changed regularly
- Multi-factor authentication should be used where available
- Staff are encouraged to check if their account(s) have been compromised in a data breach
tjcmorgan 