Password Policy

Unless otherwise specified within this IT Security Policy, password management shall adhere to the standards set forth by Microsoft 365. Accordingly, the following security requirements must be observed when creating passwords:

1. Minimum of eight (8) characters in length. If unable to follow Microsoft 365 standards, which do not require complexity standards, passwords should include the following three categories:

2. English uppercase characters (A through Z)

3. English lowercase characters (a through z)

4. Base 10 digits (0 through 9)

5. Microsoft 365 does not required complexity standards, but where possible the use of non-alphabetic characters (e.g., !, $, #, %) is recommended.

6. Passwords history shall be kept for the previous six (6) passwords and passwords shall be unique across the password history.

7. Microsoft 365 does not required periodic password resets. However, where Microsoft 365 cannot be applied maximum password age should be ninety (90) days.

8. Shall not be the same as or include the user id.

9. Passwords shall not be visible by default when entered, but in alignment with Microsoft 365 can bevisible when typing where possible and password “Paste-In” should not be allowed.

10. Passwords shall not be easily guessable.

11. Set first-time passwords to a unique value for each user and change immediately after the first use.

12. User accounts shall be locked after seven (7) incorrect attempts.

13. Lockout duration shall be set to a minimum of thirty (30) minutes or until an administrator resets the user’s ID upon proper user identify verification.

14. If a session has been idle for more than ten (10) minutes, the user shall be required to re-enter the password to re-activate access.

15. Password hints should not be used, in compliance with Microsoft 365.

The following shall be adhered to when managing user passwords:

1. Verify user identity before performing password resets.

2. Where possible, these requirements shall be automatically enforced using management tools such as Active Directory Group Policy or specific system configuration(s).

3. Access to shared network/service/system power user/root/admin passwords shall be controlled and limited by administrators. Usage of these accounts shall be monitored.

4. Role based access to all systems shall be implemented, including individually assigned username and passwords.

5. Usernames and passwords shall not be shared, written down or stored in easily accessible areas.

6. Assigning multiple usernames to users shall be limited. However, when multiple usernames are assigned to personnel, different passwords shall be used with each username.

7. Group, shared, or generic accounts and passwords shall not be used unless approved by Information Security (e.g., service accounts) and shall follow approved information security standards.

8. Special administrative accounts, such as root, shall implement additional controls, such as alerting, to detect and/or prevent unauthorized usage.

9. Administrator, superuser, and service account passwords shall be stored in a secure location, for example a fire safe in a secured area. If these are stored on an electronic device, the device and/or data shall be encrypted following Data Protection & Encryption Policy (refer to policy #1) and access restricted accordingly.

10. Default passwords on systems must be changed after installation.

11. Render all passwords inaccessible during transmission using encryption as defined in Data Protection & Encryption Policy (refer to policy #1).

12. Passwords shall be protected in storage by hashing following Data Protection & Encryption Policy

13. Remove custom application accounts, user IDs, and passwords before applications become active or are released to subscribers.

14. In alignment with Microsoft 365, breached passwords should be monitored, and mandatory password changes should occur if a password breach is identified, or the user suspects their password may have been compromised.