Possword Policy
Version: 2.0
Policy Code:
DICT-QAP086
date:05/02/2024
Document Control
Executive Summary
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of IAU entire network. The purpose of having a password policy is to ensure a more consistent measure of security for IAUs’ network and the information it contains. The implementation of this policy will better safeguard the personal and confidential information of all individuals and organizations affiliated, associated, or employed by the University. Additionally, this policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of passwords.
Introduction
Objectives
The following are the objectives of the policy:
1. Defend against unauthorized access of ANNA STAR CONTRACTING that could result in a compromise of personal or institutional data
2. Ensure that ANNA STAR resources are used in an appropriate fashion, and support the company’s
3. Encourage users to understand their own rights and responsibilities for protecting their passwords.
4. Protect the privacy and integrity of data stored on the company network.
Entities affected by this Policy
This policy applies to all persons who have, or are responsible for, an account on any system accessed on the Company network or computer systems.
Policy Statement
Guidelines & Procedures Statements
General Guidelines:
1. Passwords must be changed every 90 days. 2. All passwords must meet the definition of a Strong password described below in the strong password construction guidelines section.
3. Each successive password must be unique. Re-use of the same password will not be allowed. 4. Any temporary password will expire at 23:59:59 of the date issued. 5. A user account will be temporarily locked for three (3) minutes after 3 consecutive failed
logins:
a. Account Lockout Duration: 15 mins. b. Account Lockout Threshold: 3. c. Reset Account Lockout Counter: 30 mins.
6. The "reset password" process will be applied to users who logs in for the first time.
Poor, weak passwords have the following characteristics:
1. The password contains less than eight characters. 2. The password is a word found in a dictionary (English or foreign). 3. The password is a common usage word such as:
a. Name of family, pets, friends, co-workers, fantasy characters, etc. b. Computer terms and names, commands, sites companies, hardware, software. c. Birthdays and other personal information such as addresses and phone numbers. d. Word or number patterns like aaabbb, 111222, zyxwvts, 4654321, etc. e. Any of the above spelled backward like fesuoy, damha, etc. f. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
Strong Password Construction Guidelines:
1. Are at least eight alphanumeric characters long 2. Passwords do not contain user ID 3. Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters
4. Contain at least three of the five following character classes:
a. Lower case characters b. Upper case characters c. Numbers d. “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc) e. Contain at least eight alphanumeric characters.
Responsibilities of the User Statements
Users are responsible for assisting in the protection of the network and computer systems they use. The integrity and secrecy of an individual's password is a key element of that responsibility. Everyone has the responsibility for creating and securing an acceptable password per this policy. Failure to conform to these restrictions may lead to the suspension of rights to Company systems or other action as provided by Company Policy.
Policy Violation
Anyone who violate this policy will be subject to any or all the following actions:
Suspension of the company internet account/access. The referral of the case to the company Legal Department along with supporting evidence for an appropriate action.