Password Construction Standards

Version1.0.3 Last Updated2024-03-28 APPROVED

1. Overview

Passwords are a critical component of information security. Passwords serve to protect access to user accounts, data, and systems. However, a poorly constructed or easily guessed password can compromise the strongest defenses. This guideline provides best practices for creating strong passwords and using additional security measures such as hardware-based two-factor authentication (2FA) and password managers.

2. Purpose

The purpose of these guidelines is to provide best practices for the creation of strong passwords and the use of additional security measures to protect user accounts and sensitive data.

3. Scope

This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.

4. Standards

4.1 Password Strength

  • Passwords should be at least 16 characters long. The more characters a password has, the stronger it is.
  • Use passphrases, which are passwords made up of multiple words. Examples include “cactus trace4 week303end” or “bl0ck-curious-suNNy-leaves”. Passphrases are both easy to remember and type yet meet the strength requirements.
  • Passwords should include a mix of uppercase and lowercase letters, numbers, and special characters.
  • Avoid using easily guessable information such as personal information, dictionary words, or common phrases.

4.2 Password Managers

  • Use a reputable password manager to generate, store, and manage strong, unique passwords for each account.
  • Password managers should be protected with a strong master password with hardware-based 2FA.

4.3 Two-Factor Authentication (2FA)

  • Enable hardware-based 2FA, such as security keys or smart cards, for all critical accounts, including but not limited to email, VPN, and remote access systems.
  • Where hardware-based 2FA is not available, use app-based 2FA or SMS-based 2FA as a secondary option.

4.4 Password Auditing

  • Password cracking or guessing may be performed on a periodic or random basis by the InfoSec Team or its delegates.
  • If a password is guessed or cracked during one of these scans, the user will be required to change it.

5. Standards Compliance

5.1 Compliance Measurement

The Infosec team will verify compliance to this policy through various methods, including but not limited to password cracking exercises, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Infosec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.