Password Policy Template
A short guide on implementing Password Policies for your Staff
Password Guidelines
Passwords provide access to important digital resources, which are frequently the determinants of your company's success in the marketplace.
Passwords are at the core of your cyber security and are highly valuable targets for cyber criminals looking to exploit your systems and steal your data. It's important to have a set of standards in place governing the creation of strong passwords, as well as the protection and regular changing of these passwords to ensure your safety.
Our security team has created a set of password guidelines to keep your password hygiene up to date. We recommend that you share this information with all your staff.
Password Policy
Purpose: A guide for safe password behaviour to be shared and implemented by all staff.
Overview Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or the organisations network. This guideline provides best practices for creating secure passwords.
Password Guidelines All passwords should meet or exceed the following guidelines. Strong passwords have the following characteristics:
• Contain at least 12 alphanumeric characters. • Contain both upper and lower case letters. • Contain at least one number (for example, 0-9). • Contain at least one special character
Poor, or weak, passwords have the following characteristics:
• Contain less than eight characters. • Can be found in a dictionary. • Contain personal information such as birth dates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters. • Contain work-related information such as building names, companies, hardware, or software. • Contain common words spelled backward, or preceded or followed by a number (for example,, secret1 or 1secret).
You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.
If you need help generating a secure password you can use a website like www.random.org/passwords/
Password Protection
• Passwords must not be shared with anyone. All passwords are to be treated as sensitive, Confidential information. • Passwords must not be inserted into email messages or other forms of electronic communication. • Passwords must not be revealed over the phone to anyone. • Do not reveal a password on questionnaires or security forms. • Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption. • Do not use the "Remember Password" feature of applications (for example, web browsers). • Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
All passwords must be changed at least every six months.
Purpose This cyber security policy template is ready to be tailored to your company’s needs and should be considered a starting point for setting up your password policies.
Disclaimer: The information in these materials is provided as general information only. Nothing in these materials represents, and must not be relied upon as, legal advice. This information is not tailored to your business's specific needs and may not take into account all relevant laws that may affect you or your business. While every effort has been made to ensure that the contents of these materials are accurate, adequate or complete, it does not represent or warrant its accuracy, adequacy or completeness.
Policy brief & purpose Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This guideline provides best practices for creating secure passwords.
The purpose of this guidelines is to provide best practices for the creation of strong passwords.
Scope This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, email accounts, screen saver protection, voicemail, and local router logins.
Policy elements
STRONG PASSWORDS
Strong passwords are long, the more characters you have the stronger the password.
We recommend a minimum of 14 characters in your password. In addition, we highly encourage the use of passphrases, passwords made up of multiple words.
Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type yet meet the strength requirements.
Poor, or weak, passwords have the following characteristics:
Contain eight characters or less.
Contain personal information such as birthdates, addresses, phone
numbers, or names of family members, pets, friends, and fantasy
characters.
Contain number patterns such as aaabbb, qwerty, zyxwvuts, or123321.
Are some version of “Welcome123” “Password123” “Changeme123”In addition, every work account should have a different, unique password. To enable users to maintain multiple passwords, we highly encourage the use of ‘password manager’ software that is authorised and provided by the organisation. Whenever possible, also enable the use of multi-factor authentication.POLICY COMPLIANCEThe Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.EXCEPTIONSAny exception to the policy must be approved by the Infosec team in advance.NON-COMPLIANCEAn employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.