Password and authentication policy

Password management

Proper password creation and management is a responsibility for everyone in the organisation.

All passwords should be stored in the company provided password manager, and filed appropriately.

Any password that cannot be stored in your password manager, for example the password to that service, must be a minimum of 12 characters long, with a best practice length of 32 or more.

The most important factor in password strength is it's length. You can also use multiple character sets to further increase it's strength, for example numbers and special characters.

Default passwords

When a new device or service is configured (or existing device reset) it may have a password determined by the provider. This password must be changed following the guidelines below immediately/before it can be put into use. This includes, but is not limited to: laptops, servers, tablets, phones and online accounts.

Password re-use

Passwords must not be re-used across user accounts or services. Exceptions to this can only be made with Director's approval, and there will be no exceptions when accounts give access to private data or administrative rights.

Choosing passwords

Manual password creation

Creating an easy to remember, but secure password, is best done by using the NCSC advised technique of three (or more) unrelated words - not quotes or song lyrics. This is famously illustrated by the web comic XKCD with the password correct horse battery staple. If possible you can then add a few capital letters, special characters, and numbers to the password.

Automatic password creation

Any password that can be stored in the password manager can be easily generated using it's inbuilt facility. Set the generator to 32 characters and to include all character sets. This will generate a highly random password.

Compromised passwords

If you have any reason to suspect a password may have been exposed or otherwise compromised you must change it immediately to a new one following the guidelines above. You must also report the incident to your line manager so that it can be investigated, an evaluation made of risk to company and client data, and further action taken as needed.

If the password in question relates to a firewall or other infrastructure service/device you must submit the request to change the password to the Helpdesk for approval and actioning.

Multi-factor authentication (MFA)

Also commonly referred to as 2 factor authentication (2FA), this is when a secondary security challenge is presented after the password is entered.

MFA must be enabled, and enforced where able, for every login used. Acceptable MFA methods are hardware keys, app based TOTP, push notifications, email, SMS in that order of preference.

All administrative accounts must have MFA enabled on them.