# Password & Authenticator Policy (System-Agnostic) **Document owner:** [Owner/Role] **Approved by:** [Steering Committee / CISO] **Effective date:** [YYYY-MM-DD] **Review cadence:** [Annually] --- ## 1) Purpose & Scope This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]’s IT systems. It applies to all employees, contractors, vendors, and service accounts. --- ## 2) Policy Statements ### 2.1 Password Length - Passwords **must** be at least **15 characters** when used as a single factor of authentication. - Passwords **must** be at least **8 characters** when used in combination with MFA. - Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters. ### 2.2 Complexity - Passwords **must not** be subject to composition rules requiring upper/lowercase, numbers, or symbols. - Passwords **must** be screened against a blocklist of weak, common, or compromised passwords. ### 2.3 Expiration - Passwords **shall not** expire on a scheduled basis. - Passwords **must** be changed immediately upon indication or suspicion of compromise. ### 2.4 Usability - Systems **must** permit copy/paste from password managers. - Systems **must** provide a “show password” option. - Password hints and security questions **must not** be used. ### 2.5 Multi-Factor Authentication (MFA) - MFA **must** be enforced for: - Remote access - Administrative access - Access to sensitive data or critical systems - MFA **should** use phishing-resistant methods (e.g., FIDO2, authenticator apps). - SMS/voice **shall** only be used as fallback methods. ### 2.6 Account Lockout - Failed logins **must** be throttled with rate-limiting or timed lockout. - Accounts **shall not** be permanently locked out due to failed attempts. ### 2.7 Storage & Transmission - Passwords **must** only be transmitted over encrypted channels (TLS 1.2+ or equivalent). - Passwords **must** be stored as salted and hashed verifiers using Argon2id, bcrypt, or PBKDF2. - Legacy or weak hashing mechanisms **must not** be used. ### 2.8 Resets & Recovery - Password resets **must** require MFA verification. - Knowledge-based authentication (KBA/security questions) **must not** be used. - After compromise, passwords **must** be reset and sessions revoked. ### 2.9 Administrative Accounts - Administrative accounts **must** be separate from daily-use accounts. - All administrative accounts **must** be protected with MFA. - Administrative access **should** be provisioned with just-in-time or time-bound access control. - Shared administrative passwords **must not** be used. Break-glass accounts **must** be protected and monitored. ### 2.10 Service & Machine Accounts - Service accounts **must** use keys, certificates, or managed identities where possible. - If passwords are required, they **must** be at least **30 characters**, randomly generated, and stored only in approved secret managers. - Service accounts **must not** allow interactive login. - Secrets **must** be rotated regularly through automated processes. ### 2.11 Dormant Accounts - User accounts inactive for **45 days** **must** be disabled. - Quarterly reviews of all accounts **must** be conducted. ### 2.12 Application Integration Applications authenticating users: - **Must** support password length requirements and blocklist enforcement. - **Must** allow paste/autofill and must not truncate passwords. - **Must** store verifiers using modern password hashing methods. --- ## 3) Enforcement - Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment. - System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO. --- ## 4) Exceptions - Exceptions **must** be documented, include compensating controls, and have CISO approval. - Exceptions **must** have a review date not exceeding 12 months. --- ## 5) References - **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** - **CIS Controls v8.1, Controls 5 & 6** - **OWASP Authentication Cheat Sheet**