Security Policy
  • Data Protection Standard
  • General
    • Acceptable Encryption Policy
    • Acceptable Use Policy
    • Data Breach Response Policy
    • Data Classification Policy
    • Disaster Recovery Plan Policy
    • Email Policy
    • Password Construction Guidelines
    • Password Protection Policy
    • Security Response Plan Policy
  • Network Security
    • Remote Access Policy
    • Remote Access Tools Policy
  • Server Security
    • Database Credentials Coding Policy
    • Information Logging Standard
    • Server Security Policy
Powered by GitBook
On this page
  • 1. Overview
  • 2. Purpose
  • 3. Scope
  • 4. Statement of Guidelines
  • 5. Policy Compliance
  • 5.1 Compliance Measurement
  • 5.2 Exceptions
  • 5.3 Non-Compliance
  • 6. Related Standards, Policies and Processes
  • 7. Definitions and Terms
  • 8. Revision History

Was this helpful?

  1. General

Password Construction Guidelines

1. Overview

Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This guideline provides best practices for creating secure passwords.

2. Purpose

The purpose of these guidelines is to provide best practices for the creation of strong passwords.

3. Scope

This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, email accounts, screen saver protection, voicemail, and local router logins.

4. Statement of Guidelines

Strong passwords are long, the more characters you have the stronger the password. We recommend a minimum of 14 characters in your password. In addition, we highly encourage the use of passphrases, passwords made up of multiple words. Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type, yet meet the strength requirements. Poor, or weak, passwords have the following characteristics:

  • Contain eight characters or less.

  • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.

  • Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.

  • Are some version of “Welcome123” “Password123” “Changeme123”

In addition, every work account should have a different, unique password. To enable users to maintain multiple passwords, we highly encourage the use of ‘password manager’ software that is authorized and provided by the organization. Whenever possible, also enable the use of multi-factor authentication.

5. Policy Compliance

5.1 Compliance Measurement

The DevSecOps team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the DevSecOps team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Related Standards, Policies and Processes

None.

7. Definitions and Terms

None.

8. Revision History

Date of Change

Responsible

Summary of Change

October 2020

GetCraft DevSecOps Team

Initial version

PreviousEmail PolicyNextPassword Protection Policy

Last updated 4 years ago

Was this helpful?