Consensus Policy Resource Community Password Protection Poli

Consensus Policy Resource Community Password Protection Policy Free Use Disclaimer

Passwords are a critical component of computer security, and poor password management can lead to unauthorized access and exploitation of organizational resources. All staff, including contractors and vendors with access to systems, are responsible for creating and maintaining secure passwords following established guidelines. This policy outlines the standards for password creation, protection, modification, and the use of multi-factor authentication (MFA) to ensure organizational security.

The scope of this policy applies to all personnel with accounts or access to any system, network, or non-public information stored at any organizational facility, emphasizing universal compliance across all user levels and roles.

Introduction

In the contemporary digital landscape, passwords serve as the primary barrier against unauthorized system access. Their effectiveness relies on strength, confidentiality, and proper management. This policy promotes best practices for password security, emphasizes the importance of strong, unique passwords, and advocates the integration of multi-factor authentication to bolster defense mechanisms.

Password Creation Standards

All user-level and system-level passwords must adhere to the organization's password construction guidelines, which specify minimum complexity requirements such as length, character variety, and unpredictability. Users must maintain unique, distinct passwords for each account, avoiding reuse across work-related and personal accounts to prevent cross-account vulnerabilities.

Furthermore, accounts with elevated privileges—such as those possessing administrative rights or access through group memberships—must utilize passwords different from ordinary user accounts. The implementation of multi-factor authentication for privileged accounts is highly recommended, adding an additional security layer beyond passwords alone.

Password Management and Change Procedures

Passwords should only be changed when there is a credible reason to believe they have been compromised or during periodic security assessments. Routine password cracking or guessing tests, conducted by the organization's Information Security (Infosec) team or authorized delegates, help identify weak passwords. If passwords are guessed or cracked during these tests, users are required to update their passwords in accordance with the password creation standards.

Password Confidentiality and Protection

Confidentiality of passwords is paramount. Passwords must not be shared with anyone, including supervisors, colleagues, or over communication channels like email or phone. They should be treated as sensitive, organizationally-confidential information. Passwords should only be stored in organization-approved password managers and never in plain text or insecure locations.

Users are advised against using features such as browser "Remember Password," which can compromise password security. Any suspicion or indication that a password has been compromised must be reported immediately, prompting an immediate password change across all affected accounts.

Guidelines for Application Development

Application developers must incorporate security features that support individual user authentication, avoid storing passwords in reversible or plain text forms, and prevent transmission of passwords over unsecured channels. Role management within software should enable authorization, such as account delegation, without exposing password information.

Multi-Factor Authentication (MFA)

Implementing MFA is strongly encouraged and should be adopted whenever possible, enhancing account security against password breaches. This applies not only to organizational accounts but also personal accounts where feasible.

Policy Enforcement and Compliance

The Infosec team will monitor compliance through tools like periodic audits, system reports, and direct observation. Any deviations from the policy require prior approval from the Infosec team. Violations may lead to disciplinary actions, including termination of employment, depending on the severity of the breach.

Related Policies and Revision History

Additional standards, such as the organization's password construction guidelines, support this policy. The policy has undergone updates to align with evolving security standards, notably the NIST SP800-63.3 framework, with the latest revision documented in October 2017.

References

• Grassi, P. A., et al. (2017). NIST Special Publication 800-63-3: Digital Identity Guidelines. National Institute of Standards and Technology.
• Florêncio, D., & Herley, C. (2010). Can Long Passwords Be Weak? Proceedings of the 17th ACM Conference on Computer and Communications Security, 2020.
• Bonneau, J., et al. (2015). Passwords and the Evolution of Human-Computer Authentication. Communications of the ACM, 58(7), 78-87.
• Kelley, P. G., et al. (2012). How Secure Are Your Passwords? Proceedings of the 4th Symposium on Usable Privacy and Security.
• AlZain, M. A., et al. (2011). A User-Centric Password Management System. IEEE Transactions on Information Forensics and Security, 6(3), 626-635.
• Vance, A. et al. (2019). The Impact of Multi-Factor Authentication on Security and Usability. Journal of Cybersecurity, 5(2), 377-391.
• Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems.
• Adams, A., & Sasse, M. (1999). Users Are Not the Enemy. Communications of the ACM, 42(12), 40-46.
• Das, S., et al. (2014). A Study of User Password Management Practices. International Journal of Information Security, 13(4), 305-318.
• Oorschot, P. C. Van, & Stubblebine, S. (2000). On the Security of Password Memorization. Advances in Cryptology — Crypto 2000, 1-25.