Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may compromise individual systems, data, or network. This guideline provides best practices for creating secure passwords.
The purpose of these guidelines is to provide best practices for the creation of strong passwords.
This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, email accounts, screen saver protection, voicemail, and local router logins.
Strong passwords are long; the more characters you have, the stronger the password. We recommend a minimum of 14 characters in your password. Also, we highly encourage the use of passphrases, passwords made up of multiple words. Examples include “It’s time for vacation” or “block-curious-sunny-leaves.” Passphrases are both easy to remember and type yet meet the strength requirements. Poor or weak passwords have the following characteristics:
In addition, every work account should have a different, unique password. To enable users to maintain multiple passwords, we highly encourage using ‘password manager’ software authorized and provided by the organization. Whenever possible, also enable the use of multi-factor authentication.
5.1 Compliance Measurement
The Infosec team will verify compliance with this policy through various methods, including but not limited to periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
The Infosec team must approve any exception to the policy in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Revised: March 14th, 2018