Password Policy and Best Practices
This policy establishes a standard for the creation of strong passwords, the storage and protection of those passwords, and the frequency of change. The scope of this policy includes all individuals who have access to, or are responsible for an account, with any form of access requiring a password on any managed system or network, and residing at any facility used by Collabrance, or any of MSPs working with us.
Requirements
- All user accounts must have a password
- Passwords must:
- Be a minimum length of nine (9) characters on all systems
- Be changed every 90 days at a minimum
- Lockout the user after 7 failed attempts
- Meet complexity requirements (3 of the 4: upper case, lower case, number, special characters)
- Collabrance and Dealers should have their own administrative accounts for each domain with passwords that are not shared
General Policy
- Consideration should be made to change all system-level passwords (e.g., svcremoteadmin, admin, root, enable, etc.) at least every 90 days.
- All user-level passwords for any systems, networks or services (eg., Hosted E-Mail, website access, desktop computer both domain and local access, etc.) should be changed at least every 90 days and should not be repeated regularly.
- User accounts with access to elevated privileges should have unique passwords. The password should be different from all other accounts held by the user.
- Passwords must not be inserted into email messages, or other forms of electronic communication.
Best Practices
Password Creation Recommendations
Passwords should:
- Not be a dictionary word or proper name
- Not be the same as the User ID.
- Expire within a maximum of 90 calendar days
- Not be regularly repeated (do not allow repeated passwords over 3+ expirations or changes)
- Not be transmitted via electronic communication
- Not be transmitted in clear or plaintext (unencrypted) outside the secure location
- Not be displayed when entered.
- Ensure passwords are only reset for authorized user
- Meet complexity requirements. (Contain 3 of the following 4 types of characters: Uppercase, lowercase, number, symbol)
Password or Account Removal
All passwords or accounts no longer needed should be deleted, or disabled as soon as possible. This includes, but is not limited to, the following:
- When a user retires, quits, is reassigned, released, dismissed, etc.
- Default passwords on all equipment, applications, or systems
- Contractor accounts, when no longer needed to perform their duties
When a password is no longer needed, the following procedures should be followed:
- Employee should notify his or her immediate supervisor
- Contractor should inform his or her contact or project supervisor
- Service Desk should be notified
- Service Desk will then delete or change the user’s password
- Service Desk will delete or suspend the user’s account when required
Password and Account Protection
Passwords should not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive and confidential information.
If someone demands a password be given or changed without verifying who they are, have them contact an authorized Subscriber or Dealer contact to authorize the release or change.
If an account or password is suspected to have been compromised, report the incident immediately so all passwords can be changed.
To keep the environment secure, the following should not be done:
- Discuss or reveal a password over the phone without verifying identity
- Give out a password in any form of electronic messaging
- Discuss or reveal a password to the boss, co-workers, or family members
- Discuss or reveal the format of a password (e.g., “my family name”)
- Reveal a password on questionnaires or security forms
- Talk about passwords in front of others
- Use the "Remember Password" feature of applications
- Write passwords down and store them anywhere in your office
- Store passwords in a file on ANY computer system unencrypted
Remote Access Users
Access to any systems, applications, or networks via remote access should be controlled by using either a Virtual Private Network (VPN) with strong encryption, in which user id and password are required, or using some form of advanced authentication (i.e., Biometrics, Tokens, Public Key Infrastructure (PKI), Certificates, etc.).
** Disclaimer: Service Providers must comply with identified Collabrance Requirements in order for items referenced in our Service Catalog to perform properly. **