4.2 KiB
4.2 KiB
Password & Authenticator Policy (System-Agnostic)
Document owner: [Owner/Role]
Approved by: [Steering Committee / CISO]
Effective date: [YYYY-MM-DD]
Review cadence: [Annually]
1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]’s IT systems. It applies to all employees, contractors, vendors, and service accounts.
2) Policy Statements
2.1 Password Length
- Passwords must be at least 15 characters when used as a single factor of authentication.
- Passwords must be at least 8 characters when used in combination with MFA.
- Systems must allow passwords up to 64 characters and should support spaces, ASCII, and Unicode characters.
2.2 Complexity
- Passwords must not be subject to composition rules requiring upper/lowercase, numbers, or symbols.
- Passwords must be screened against a blocklist of weak, common, or compromised passwords.
2.3 Expiration
- Passwords shall not expire on a scheduled basis.
- Passwords must be changed immediately upon indication or suspicion of compromise.
2.4 Usability
- Systems must permit copy/paste from password managers.
- Systems must provide a “show password” option.
- Password hints and security questions must not be used.
2.5 Multi-Factor Authentication (MFA)
- MFA must be enforced for:
- Remote access
- Administrative access
- Access to sensitive data or critical systems
- MFA should use phishing-resistant methods (e.g., FIDO2, authenticator apps).
- SMS/voice shall only be used as fallback methods.
2.6 Account Lockout
- Failed logins must be throttled with rate-limiting or timed lockout.
- Accounts shall not be permanently locked out due to failed attempts.
2.7 Storage & Transmission
- Passwords must only be transmitted over encrypted channels (TLS 1.2+ or equivalent).
- Passwords must be stored as salted and hashed verifiers using Argon2id, bcrypt, or PBKDF2.
- Legacy or weak hashing mechanisms must not be used.
2.8 Resets & Recovery
- Password resets must require MFA verification.
- Knowledge-based authentication (KBA/security questions) must not be used.
- After compromise, passwords must be reset and sessions revoked.
2.9 Administrative Accounts
- Administrative accounts must be separate from daily-use accounts.
- All administrative accounts must be protected with MFA.
- Administrative access should be provisioned with just-in-time or time-bound access control.
- Shared administrative passwords must not be used. Break-glass accounts must be protected and monitored.
2.10 Service & Machine Accounts
- Service accounts must use keys, certificates, or managed identities where possible.
- If passwords are required, they must be at least 30 characters, randomly generated, and stored only in approved secret managers.
- Service accounts must not allow interactive login.
- Secrets must be rotated regularly through automated processes.
2.11 Dormant Accounts
- User accounts inactive for 45 days must be disabled.
- Quarterly reviews of all accounts must be conducted.
2.12 Application Integration
Applications authenticating users:
- Must support password length requirements and blocklist enforcement.
- Must allow paste/autofill and must not truncate passwords.
- Must store verifiers using modern password hashing methods.
3) Enforcement
- Violations of this policy may result in disciplinary action, up to and including termination of access or employment.
- System owners must remediate applications not compliant with this policy or document exceptions approved by the CISO.
4) Exceptions
- Exceptions must be documented, include compensating controls, and have CISO approval.
- Exceptions must have a review date not exceeding 12 months.
5) References
- NIST SP 800-63B, Digital Identity Guidelines (2023 update)
- CIS Controls v8.1, Controls 5 & 6
- OWASP Authentication Cheat Sheet