Password & Authentication Policy
| Property | Value |
|---|---|
| Document ID | POL-003 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC6.1, CC6.6 / ISO 27001: A.9.2, A.9.3, A.9.4 |
1. Purpose
This policy establishes requirements for authentication mechanisms, password standards, and credential management to ensure secure access to organizational systems and protect against unauthorized access.
2. Scope
This policy applies to:
- Users: All employees, contractors, and third parties with system access
- Systems: All applications, services, and infrastructure requiring authentication
- Credentials: Passwords, passphrases, API keys, tokens, certificates, and biometrics
- Authentication Methods: Single-factor, multi-factor, and passwordless authentication
3. Policy Statements
3.1 Password Requirements
All passwords must meet the following minimum requirements:
| Requirement | Standard |
|---|---|
| Minimum Length | 12 characters (14+ for privileged accounts) |
| Complexity | At least 3 of 4: uppercase, lowercase, numbers, special characters |
| Maximum Age | 365 days (90 days for privileged accounts) |
| History | Cannot reuse last 12 passwords |
| Lockout Threshold | 5 failed attempts |
| Lockout Duration | 30 minutes (or until admin unlock) |
3.2 Password Prohibitions
The following are prohibited:
- Passwords based on dictionary words without modification
- Passwords containing username, email, or personal information
- Passwords shared between work and personal accounts
- Passwords stored in plaintext (files, emails, sticky notes)
- Passwords transmitted via unencrypted channels
- Default or vendor-supplied passwords
- Shared passwords between individuals
3.3 Multi-Factor Authentication (MFA)
MFA is required for:
| System/Access Type | MFA Requirement |
|---|---|
| All user accounts | Required |
| Privileged/admin accounts | Required (phishing-resistant preferred) |
| Remote access (VPN/ZTNA) | Required |
| Cloud console access (AWS, GCP, Azure) | Required |
| Source code repositories | Required |
| Production systems | Required |
| Email access | Required |
| Financial systems | Required |
Approved MFA Methods (in order of preference)
-
Phishing-Resistant (Preferred)
- Hardware security keys (FIDO2/WebAuthn)
- Platform authenticators (Windows Hello, Touch ID, Face ID)
-
Time-Based OTP (Acceptable)
- Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy)
- Hardware OTP tokens
-
Push Notifications (Acceptable with number matching)
- Push notifications with number matching enabled
-
SMS/Voice (Not Recommended - legacy systems only)
- SMS codes (only where no alternative exists)
3.4 Password Storage and Transmission
| Requirement | Standard |
|---|---|
| Storage (systems) | Hashed with bcrypt, Argon2, or PBKDF2 (minimum 100,000 iterations) |
| Storage (users) | Approved password manager only |
| Transmission | TLS 1.2+ encryption required |
| Secrets Management | Vault or secrets manager for application credentials |
3.5 Password Manager Requirements
All users are required to use an approved password manager:
- Company-provided password manager account
- Unique, strong master password (16+ characters)
- MFA enabled on password manager
- No browser password storage (disable autofill for passwords)
- No local unencrypted password storage
3.6 Service Account and API Key Management
| Requirement | Standard |
|---|---|
| Naming Convention | svc-[application]-[environment] |
| Documentation | Owner, purpose, and access documented |
| Rotation | Minimum annually (90 days for high-risk) |
| Storage | Secrets vault (never in code or configs) |
| Monitoring | Usage logged and reviewed quarterly |
| Permissions | Least privilege; no interactive login |
3.7 Session Management
| Setting | Requirement |
|---|---|
| Session Timeout (idle) | 15 minutes for sensitive systems; 30 minutes standard |
| Absolute Timeout | 8-12 hours maximum session duration |
| Concurrent Sessions | Limit based on role; alert on anomalies |
| Session Termination | Logout invalidates session immediately |
| Re-authentication | Required for sensitive operations |
3.8 Account Recovery
Password reset and account recovery must:
- Verify identity through established process (not just email)
- Use time-limited, single-use tokens
- Require MFA re-enrollment if MFA device is lost
- Generate audit log entry
- Notify user of password change via separate channel
4. Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| CISO / Security Lead | Define authentication standards, approve exceptions |
| IT Operations | Implement authentication systems, manage password policies |
| Identity Team | Manage IdP, MFA enrollment, password resets |
| Application Owners | Ensure applications meet authentication requirements |
| Users | Create strong passwords, protect credentials, enroll in MFA |
5. Implementation Checklist
Technical Controls
- Password policy enforced in identity provider (IdP)
- MFA enabled for all users and enforced at IdP level
- Phishing-resistant MFA available (FIDO2/WebAuthn)
- Password manager deployed to all users
- Session timeout configured across applications
- Account lockout configured (5 attempts, 30 minutes)
- Password history enforcement (12 passwords)
- Secrets vault implemented for service accounts
- Password breach detection enabled (HaveIBeenPwned integration)
Process Controls
- Password reset procedure documented
- MFA enrollment procedure documented
- Lost MFA device procedure documented
- Service account inventory maintained
- API key rotation schedule established
6. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| IdP Configuration | Screenshots of password policy settings | Document repository | Current + 1 year |
| MFA Enrollment Report | List of users with MFA enabled | IdP export | Current |
| Password Policy Settings | Technical configuration exports | Config repository | Current + 1 year |
| Service Account Inventory | List of service accounts with owners | Asset inventory | Current |
| Password Manager Deployment | User enrollment in password manager | Admin console | Current |
| Failed Login Reports | Reports on lockouts and failed attempts | SIEM/IdP logs | 90 days |
7. Related Documents
- Access Control Policy (POL-002)
- MFA Configuration Procedure (PROC-002)
- Encryption & Key Management Policy (POL-004)
8. Exceptions
Exceptions to MFA or password requirements are:
- Strongly discouraged and require executive approval
- Time-limited (maximum 90 days)
- Documented with compensating controls
- Subject to enhanced monitoring
9. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
10. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | _________________ | _________________ | ________ |
| IT Director | _________________ | _________________ | ________ |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.