Password management policy

BY SCOTT MATTESON
April 2020

COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.

 Password management policy
SUMMARY

Employee passwords are the first line of defense in securing the organization from
inappropriate or malicious access to data and services. In many cases, compro-
mised user accounts have been turned into stepping stones for administrator-level
penetration by unauthorized individuals, resulting in catastrophic, well-publicized
data breaches.

Regardless of whether accounts are used for testing, workstation setups, day-to-day
use, or superuser/root privileges, establishing and maintaining a strong password
management policy is the foundation of a secure organization.

PURPOSE

This policy provides guidelines for the consistent and secure management of pass-
words for employees and system and service accounts. These guidelines include
mandates on how passwords should be generated, used, stored, and changed, as
well as instructions for handling password compromises.

This policy can be customized as needed to fit the needs of your organization.

SCOPE

All full-time employees, contract workers, consultants, part-time staff, temporary

workers, and other personnel are covered by this policy.

EXCEPTIONS

There are no exceptions to this policy unless explicitly permitted in this document.

02
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
 GENERAL REQUIREMENTS

Blank or easily guessed passwords (such as “password”) are never permitted for
any account, no matter how trivial. Passwords should not contain dictionary words
such as “kitchen” or “automotive.”

Passwords must be complex, containing at least eight characters and a mixture of

lowercase, uppercase, numbers, and punctuation characters. For instance, “B3llt0Wer!”
should be used in place of “Belltower,” as it is considerably more secure.

Passwords should never contain security-sensitive information, such as an employee’s

social security number or date of birth. They also should not include public information
related to an employee’s personal life, such as the names of their children, hobbies,
favorite sports team, etc.

Use different passwords on different systems. For example, a Windows account

password should not be the same as a QuickBooks password. It is especially critical
that external accounts (such as on third-party websites such as Salesforce.com) do
not have the same passwords as internal accounts, to protect from data breaches
against these external targets.

Passwords used on company systems should never correspond with employee

personal account passwords (e.g., Windows account and Gmail account passwords
must be separate).

Users must not write passwords down or send passwords through email/instant
messaging services

The IT department will not ask users for their passwords but will instead set tempo-
rary passwords for employees who can’t log into their accounts.

Employees should consider using a password management program like LastPass,

KeePass, or Password Safe to store their passwords in a central encrypted data-
base secured by a master password (which is subject to the same guidelines de-
scribed here). If such a program is used, it should be configured to auto-lock when
the system is idle and to clear any passwords in the clipboard when not in use.

03
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
 Users must not share their account passwords with others except in the case of
external account passwords used to conduct company business (e.g., purchasing
equipment or booking travel reservations). These passwords must be provided to
the employee’s manager and stored securely, such as with a password management
program referenced above.

If a shared password database is used by a group (such as the Finance depart-

ment), the entries should be kept as minimal as possible to ensure that it provides
only the access needed for employees to do their jobs. For example, a password to
a banking site used only by the company controller should not be kept in a password
database where employees who should not have this access can view it.

When configuring security questions designed to protect against lost passwords,

always choose fact-based questions (“What street did you grow up on?”) rather than
opinion-based questions (“What is your favorite food?”). Opinion-based questions
are less likely to be remembered later since people’s tastes change. Never pick
security questions with answers that could be easily researched (e.g., “Where did
you go to high school?”).

Any security questions associated with external accounts should be kept in a shared
password database for future reference.

DEVICE MANAGEMENT STRATEGIES

Any device on which company accounts are used must be secured with a pass-
word. Always lock screens/devices when you’re away or they’re not in use. Pressing
Windows + L for instance will immediately lock a Windows system with the logged-on
user’s password.

Passwords must not be stored (cached) on unsecure devices, defined as smart-

phones/tablets/computers that do not have password protection and do not utilize
encrypted storage. It is possible to view saved website passwords in the Firefox
browser, for instance, which poses a clear risk to employees if an unauthorized
individual obtains access to this device.

Employees should never use public systems or untrusted devices to access

company resources, since they may have been configured to steal passwords
or log keystrokes.

04
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
 Biometrics (fingerprint or retinal scanners) may be used for user authentication to
company systems but must not replace the use of passwords. Keep in mind that the
best security model is that of “two-factor authentication”—something you have (a
fingerprint) and something you know (a password).

PASSWORD CHANGES
• All employee account passwords must change at least once every 60 days.

• Authentication systems such as Active Directory should be configured to warn

users of expiring passwords within at least seven days.

• No reuse of expired passwords is permitted. Passwords must be unique at

every change.

• If you have multiple accounts, it is recommended to change all the passwords

at the same time, especially if the expiration dates are similar. This will ease
the transition and make the process more predictable.

• Notify the IT/information security department of any passwords thought to be

compromised—for example, if someone else views them being typed on a
keyboard or accidentally displayed onscreen.

• When employees leave the company (even under voluntary circumstances),

any passwords they had access to must be changed.

PASSWORD USAGE/MANAGEMENT GUIDELINES FOR THE IT

DEPARTMENT

Document all system account passwords in a central password database that uses
encryption. The master password must be shared only with appropriate individuals
and must be memorized, not documented. Keep a copy of this database where it
can be safely accessed in the event of a system or power outage (e.g., on a flash
drive locked in the data center).

System/service account passwords must change every 60 days except where do-
ing so would be deemed excessively disruptive to company operations. Any and all
accounts with passwords set NOT to expire must be documented and approved by
the IT director and the information security department and must reside on systems
that are physically secured.

05
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
 Many password management applications can generate random, complex pass-
words. Take advantage of this feature where applicable to streamline the password
creation/change process.

Because expired system accounts can cause numerous technical problems, al-
ways use alerts to notify personnel of impending system account password expi-
rations (within seven days). Plan out password change steps (updating scheduled
tasks, restarting services for the change to take effect, etc.) to ensure a seamless
transition.

Don’t embed passwords in scripts, programs, or any file that could be read by un-
authorized users.

Set accounts to lock for 15 minutes after five failed login attempts. This will reduce
the possibility of guessing account passwords using brute force strategies.

Never ask a user for their password. If users can’t log into their account, assign
them a temporary password and configure the account to require a password
change upon the next logon.

Do not reset passwords upon request until you have confirmed the identity of the
user(s) involved. Provide the new password in person or over the phone.

Don’t use a generic password (“Newhire1”) for new user accounts, since they can
be easily guessed by the second-to-last person hired.

If storing passwords in a database (such as one containing customer accounts

used for online purchases from the organization), the database should use the
strongest available techniques to protect those passwords. “Salting” and “hashing”
passwords are recommended for this process to ensure password integrity.

If a user reports that they think their password has been compromised, lock
their account immediately, then set a new password. Refer the incident to
the information security department as soon as possible so it can address
the incident and determine the impact. Do not unlock the account until given
approval by your manager or the information security department.

06
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
 All administrative passwords should be changed if there is a security breach or one
is suspected to have occurred.

The IT department should maintain a termination checklist to document the steps

involved with disabling accounts changing passwords known by ex-employees.

MONITORING

Adherence to many of these password requirements will be mandated by system

controls (such as those requiring periodic password changes or enforcing password
complexity). Monitoring of password usage to ensure compliance with these guide-
lines will be conducted by the IT and/or information security department.

VIOLATIONS AND PENALTIES

Violations of this policy must be immediately reported to the employee’s manager

and the information security department. Violating the policy or any of its tenets could
result in disciplinary action leading up to and including termination of employment and
legal action where applicable.

07
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
ACKNOWLEDGMENT OF PASSWORD MANAGEMENT POLICY

This form is used to acknowledge receipt of, and compliance with, the organization’s
Password Management Policy.

Procedure
Complete the following steps:
1. Read the Password Management Policy.
2. Sign and date in the spaces provided.
3. Return a copy of this signed document to the human resources department.

Signature
Your signature attests that you agree to the following terms:

I. I have received and read a copy of the Password Management Policy, and I
understand and agree to the same.
II. I understand the organization may monitor the implementation of and adherence
to this policy to review the results.
III. I understand that violations of the Password Management Policy could result in
termination of my employment and legal action against me.

Name Title

Department/Location Email

Supervisor Supervisor Email

Employee Signature Date

Disclaimer: This policy is not a substitute for legal advice. If you have legal questions
related to this policy, see your lawyer.

08
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.
 EDITOR IN CHIEF ABOUT
Bill Detwiler Trusted expertise on every topic. Orig-
inal research and surveys. A full library
EDITOR IN CHIEF, UK of eBooks and white papers. Custom-
Steve Ranger izable tools and templates. It takes all
these resources and more to solve the
toughest IT problems.
ASSOCIATE MANAGING EDITORS
Teena Maddox
Mary Weilage DISCLAIMER
The information contained herein has been
obtained from sources believed to be reliable.
EDITOR, AUSTRALIA TechRepublic.com, LLC disclaims all warranties
Chris Duckett as to the accuracy, completeness, or adequacy
of such information. TechRepublic.com, LLC
shall have no liability for errors, omissions, or
SENIOR WRITER inadequacies in the information contained here-
Veronica Combs in or for the interpretations thereof. The reader
assumes sole responsibility for the selection of
these materials to achieve its intended results.
EDITOR The opinions expressed herein are subject to
Melanie Wolkoff Wachsman change without notice.

Copyright ©2020 by TechRepublic.com, LLC.

ASSOCIATE STAFF WRITER All rights reserved. TechRepublic Premium
Macy Bayern and its logo are trademarks of TechRepublic.
com, LLC. All other product names or services
identified throughout this article are trademarks
MULTIMEDIA PRODUCER or registered trademarks of their respective
Derek Poore companies.

Cover image: iStockphoto

STAFF REPORTER
Karen Roby

09
COPYRIGHT© 2020 TECHREPUBLIC.COM, LLC. ALL RIGHTS RESERVED.