Skip to content

Password and Authentication Policy

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

This policy establishes password and authentication standards for {{company_name}} to ensure secure access to information systems and protect against unauthorized access.

Scope

This policy applies to all users of {{company_name}} information systems, including employees, contractors, vendors, and any third parties granted access to our systems.

Password Requirements

Minimum Standards

All passwords must meet these requirements:

  • Length: Minimum {{password_min_length}} characters
  • Complexity: Use at least {{min_password_char_types}} of the following:
  • Uppercase letters (A-Z)
  • Lowercase letters (a-z)
  • Numbers (0-9)
  • Special characters (!@#$%^&*)
  • Uniqueness: Cannot reuse last {{password_history}} passwords
  • Age: Must change every {{password_max_age}} days

Password Best Practices

Users should:

  • Use passphrases instead of passwords (e.g., "Coffee@9Makes$MeHappy!")
  • Never use personal information (names, birthdays, addresses)
  • Use unique passwords for each system
  • Consider using a password manager approved by {{it_provider}}

Implementation Reality

These standards apply where technically feasible. We recognize that:

  • Some systems have their own password requirements we cannot change
  • Legacy applications may have technical limitations
  • Third-party services (banking, government, SaaS) control their own authentication
  • Not all systems support our preferred complexity or length requirements

Where our standards cannot be met:

  • Document the exception with the system name and limitation
  • Implement compensating controls (especially MFA where available)
  • Include in quarterly review for upgrade/replacement opportunities
  • Ensure users understand this is an exception, not the standard

Minimum Acceptable Standards

Where systems cannot meet our preferred standards, these absolute minimums apply:

Absolute Minimums

  • Length: {{exception_min_password_length}} characters (if system allows less, immediate replacement required)
  • Complexity: At least {{exception_min_char_types}} character types if {{min_password_char_types}}-4 not supported
  • Change frequency: Annual at minimum if {{password_max_age}} days not enforceable
  • Unique passwords: Required regardless of system limitations

Required Compensations

When preferred standards cannot be met:

  • MFA mandatory: If password is weak, MFA must compensate
  • Access restrictions: Limit who can access weak-password systems
  • Additional monitoring: Increased logging and review
  • Risk acceptance: Document in risk register with compensating controls

Common Exceptions

Examples of systems that may not meet standards:

  • Legacy accounting systems (often {{exception_min_password_length}}-12 character maximum)
  • Banking portals (may have their own specific requirements)
  • Government services (often have unique rules)
  • Older equipment interfaces (printers, security systems)
  • Some SaaS applications with basic authentication

Multi-Factor Authentication (MFA)

Mandatory MFA

Multi-factor authentication is required for:

  • All remote access to company systems
  • All administrative/privileged accounts
  • Access to sensitive data repositories
  • Email and collaboration platforms
  • Financial systems

MFA Methods

Acceptable second factors include:

  • SMS codes (minimum acceptable)
  • Authenticator apps (preferred)
  • Hardware tokens (for high-privilege accounts)
  • Biometric authentication (where available)

Account Management

Account Creation

  • All accounts must be approved by {{it_provider}}
  • Default passwords must be changed on first login
  • Accounts must follow naming convention: {{account_naming_convention}}

Account Lockout

  • Accounts lock after {{lockout_threshold}} failed attempts
  • Lockout duration: {{lockout_duration}} minutes
  • Manual unlock requires IT support ticket

Account Review

  • Active accounts reviewed quarterly
  • Dormant accounts ({{dormant_days}} days inactive) disabled
  • Terminated user accounts disabled immediately

Authentication Standards

Single Sign-On (SSO)

Where implemented, SSO must:

  • Use secure protocols (SAML 2.0, OAuth 2.0)
  • Require MFA for initial authentication
  • Have session timeout of {{session_timeout}} minutes

Service Accounts

  • Must have documented business purpose
  • Passwords stored in approved password vault
  • Cannot be used for interactive login
  • Reviewed every {{service_account_review}} months

Privileged Accounts

  • Separate from standard user accounts
  • Additional monitoring and logging
  • Just-in-time access where possible
  • Require approval for use

User Responsibilities

Users must:

  • Keep passwords confidential
  • Never share passwords or write them down insecurely
  • Report suspected compromise immediately to {{security_contact}}
  • Complete security awareness training
  • Use only approved authentication methods

Password Recovery

Self-Service Reset

  • Available for standard user accounts
  • Requires identity verification
  • Sends reset link to registered email/phone

Assisted Reset

  • For privileged accounts or when self-service fails
  • Requires manager approval
  • Identity verification by {{it_provider}}

Exception Management

Recording Exceptions

If a system can't meet our standards, simply document:

  1. What: System name
  2. Why: The limitation (e.g., "{{exception_min_password_length}} character max")
  3. How: What we're doing instead (e.g., "Using MFA")

That's it. Review the list {{exception_review_frequency}} and fix what you can.

Monitoring and Compliance

Regular Reviews

  • Password policy compliance checked {{security_review_frequency}}
  • MFA adoption rates tracked {{security_metrics_cycle}}
  • Failed login attempts monitored {{log_review_frequency}}
  • Account usage patterns analyzed {{user_access_review_frequency}}

Non-Compliance

Failure to comply may result in:

  • Account suspension
  • Required security training
  • Disciplinary action
  • Incident investigation
  • Access Control Policy
  • Cyber and Information Security Policy
  • Acceptable Use Policy

Essential Eight Alignment

This policy supports:

  • Multi-factor Authentication - Core requirement for all remote and privileged access
  • Restrict Administrative Privileges - Through separate privileged accounts
  • Application Control - By controlling who can authenticate

Target Maturity: {{e8_target_maturity}}

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}