Password Management Policy
Objective:
The primary objective of this policy is to ensure the strong protection of user accounts and passwords, safeguarding [Company Name]'s corporate network from potential compromise. This policy sets forth guidelines for creating secure passwords, managing them effectively, and implementing measures for user authentication and password change frequency.
Scope:
This policy applies to all Altos Ventures employees, including contractors and vendors who have access to Altos Ventures systems, networks, or handle nonpublic company information.
User Authentication:
Every user must have a unique user account and password for accessing [Company Name] systems. Shared or group user IDs are strictly prohibited for individual access. User authentication must involve passwords or tokens. The use of non-authenticated user IDs or unidentified user accounts is not allowed. After six failed login attempts within 30 minutes, an account will be locked, and it will remain locked for at least 30 minutes or until the System Administrator unlocks it. Multifactor authentication is mandatory for remote access to Altos Ventures systems.
Password Management:
Passwords must be created and managed according to the following requirements:
Password Requirements:
a. User-level network passwords expire every 90 days and must be changed.
b. New passwords cannot match any of the previous four passwords.
c. Passwords should be at least eight characters long, but longer passwords are encouraged.
d. Passwords must contain both uppercase and lowercase characters (e.g., a-z and A-Z).
e. Passwords must include at least one number (e.g., 0-9).
f. After six unsuccessful login attempts within 30 minutes, the account will be locked and remain locked for at least 30 minutes, unless unlocked by the System Administrator.
Password Sharing:
a. Passwords should never be shared with anyone, including IT support personnel, without approval from the IT Security Specialist.
b. Treat all passwords as sensitive and confidential information.
c. Report any password compromise immediately and change all related passwords.
Password Cracking and Testing:
a. Only the Technology Department or authorized third-party auditors may perform password cracking or guessing on Altos Ventures network systems for security testing.
b. If a password is guessed or cracked during testing, the user must change it immediately.
Password Managers:
a. The use of password manager programs is strongly encouraged to ensure strong, unique, and easily changeable passwords.
b. Users can request assistance from the IT Service Desk to install and configure password manager programs.
Guidelines for Password Construction:
Strong passwords should contain a mix of uppercase and lowercase characters, digits, and punctuation.
Passphrases are preferable to passwords, as they are longer and more secure against "dictionary attacks."
Passphrases should consist of multiple words and include a combination of uppercase and lowercase letters, numbers, and punctuation.
Use of Passwords and Passphrases for Remote Access:
Remote access to Altos Ventures networks should employ either one-time password authentication or a public/private key system with a strong passphrase.
Enforcement:
Violation of this policy may result in disciplinary action, up to and including termination of employment.