Password Management Policy

1. Purpose

This policy defines the requirements for creating, managing, and protecting passwords to ensure the security of Techwise Support’s information systems and data.

 

2. Scope

This policy applies to all employees, contractors, and third-party vendors who access Techwise Support’s systems and data.

 

3. Password Requirements

• Complexity: Passwords must be at least 12 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters.
• Prohibited Passwords: Avoid using easily guessable information, such as birthdays, common words, or sequences (e.g., “12345” or “password”).
• Unique Passwords: Each system or application must have a unique password.

 

4. Multi-Factor Authentication (MFA)

MFA is required for accessing sensitive systems or data, adding an additional layer of security beyond just a password.

 

5. Password Management Tools

• Dashlane and LastPass: Techwise Support uses Dashlane and LastPass to securely store and manage passwords. All employees are required to store passwords in these tools, which provide secure, encrypted storage and password generation features.
• Auto-Fill and Sharing: Auto-fill features must be disabled on shared devices, and passwords must not be shared with unauthorized personnel. Dashlane and LastPass both offer secure sharing mechanisms, which must be used when sharing passwords is absolutely necessary.

 

6. Password Change Requirements

• Regular Changes: Passwords must be changed every 90 days.
• Expiry Notifications: Users will be notified 14 days before their password expires to ensure timely updates.
• Compromise Response: If a password is suspected to be compromised, it must be changed immediately.
• Reuse: Reuse of the last five passwords is prohibited.

 

7. Account Lockout

Accounts will be locked after five unsuccessful login attempts to prevent brute-force attacks.

 

8. Secure Password Transmission

Passwords must not be transmitted in plain text via email, messaging apps, or other insecure methods. Encrypted channels (e.g., HTTPS, secure VPN) must be used.

 

9. Password Storage

• Encryption: All stored passwords must be encrypted using industry-standard algorithms.
• Dashlane and LastPass Storage: Passwords stored in Dashlane and LastPass are encrypted with a zero-knowledge architecture, ensuring that only the user has access to their credentials.
• Paper Storage: Passwords must not be written down or stored in insecure physical locations.

 

10. User Responsibilities

• Confidentiality: Users are responsible for maintaining the confidentiality of their passwords.
• Reporting: Any suspected compromise or misuse of passwords must be reported to the IT department immediately.

 

11. Incident Response

Clear procedures are in place for responding to and mitigating incidents related to password compromises, including immediate password resets and security reviews.

 

12. Compliance with Regulatory Standards

All password management practices must comply with relevant legal and regulatory standards, including GDPR and other applicable data protection laws.

 

13. Policy Compliance

Non-compliance with this policy may result in disciplinary actions, including termination of access privileges or employment.

 

14. Review and Updates

This policy will be reviewed annually and updated as necessary to adapt to new threats, changes in technology, or regulatory requirements.

 

15. Contact Information

For questions or further details about this policy, contact:

IT Security Team
Techwise Support
32 London Road, Guildford, Surrey, GU1 2AB