cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
policies/Security/password_policy_generic.md
Tomas Kracmar 4554305f3a First batch
2025-09-30 11:30:46 +02:00

97 lines
4.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Password & Authenticator Policy (System-Agnostic)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s IT systems. It applies to all employees, contractors, vendors, and service accounts.
---
## 2) Policy Statements
### 2.1 Password Length
- Passwords **must** be at least **15 characters** when used as a single factor of authentication.
- Passwords **must** be at least **8 characters** when used in combination with MFA.
- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters.
### 2.2 Complexity
- Passwords **must not** be subject to composition rules requiring upper/lowercase, numbers, or symbols.
- Passwords **must** be screened against a blocklist of weak, common, or compromised passwords.
### 2.3 Expiration
- Passwords **shall not** expire on a scheduled basis.
- Passwords **must** be changed immediately upon indication or suspicion of compromise.
### 2.4 Usability
- Systems **must** permit copy/paste from password managers.
- Systems **must** provide a “show password” option.
- Password hints and security questions **must not** be used.
### 2.5 Multi-Factor Authentication (MFA)
- MFA **must** be enforced for:
- Remote access
- Administrative access
- Access to sensitive data or critical systems
- MFA **should** use phishing-resistant methods (e.g., FIDO2, authenticator apps).
- SMS/voice **shall** only be used as fallback methods.
### 2.6 Account Lockout
- Failed logins **must** be throttled with rate-limiting or timed lockout.
- Accounts **shall not** be permanently locked out due to failed attempts.
### 2.7 Storage & Transmission
- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+ or equivalent).
- Passwords **must** be stored as salted and hashed verifiers using Argon2id, bcrypt, or PBKDF2.
- Legacy or weak hashing mechanisms **must not** be used.
### 2.8 Resets & Recovery
- Password resets **must** require MFA verification.
- Knowledge-based authentication (KBA/security questions) **must not** be used.
- After compromise, passwords **must** be reset and sessions revoked.
### 2.9 Administrative Accounts
- Administrative accounts **must** be separate from daily-use accounts.
- All administrative accounts **must** be protected with MFA.
- Administrative access **should** be provisioned with just-in-time or time-bound access control.
- Shared administrative passwords **must not** be used. Break-glass accounts **must** be protected and monitored.
### 2.10 Service & Machine Accounts
- Service accounts **must** use keys, certificates, or managed identities where possible.
- If passwords are required, they **must** be at least **30 characters**, randomly generated, and stored only in approved secret managers.
- Service accounts **must not** allow interactive login.
- Secrets **must** be rotated regularly through automated processes.
### 2.11 Dormant Accounts
- User accounts inactive for **45 days** **must** be disabled.
- Quarterly reviews of all accounts **must** be conducted.
### 2.12 Application Integration
Applications authenticating users:
- **Must** support password length requirements and blocklist enforcement.
- **Must** allow paste/autofill and must not truncate passwords.
- **Must** store verifiers using modern password hashing methods.
---
## 3) Enforcement
- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment.
- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO.
---
## 4) Exceptions
- Exceptions **must** be documented, include compensating controls, and have CISO approval.
- Exceptions **must** have a review date not exceeding 12 months.
---
## 5) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1, Controls 5 & 6**
- **OWASP Authentication Cheat Sheet**
Reference in New Issue View Git Blame Copy Permalink