Password Management Standard
1. Purpose
All employees and personnel that have access to organisational computer systems must adhere to the password standard defined below to protect the security of the network, protect data integrity, and protect computer systems.
2. General Guidelines
Be cautious of attempts to "steal" your password. RFG's computing staff, including the IT Team, will never ask for your password (nor will some other legitimate person), so be wary of malicious emails, instant messages and chat that request your password, including via web links. This trick is known as "phishing" (i.e. password fishing). If you think your password may have been exposed, change it and inform IT.
3. Password Requirements
The following password requirements will be enforced by the IT department:
3.1. Password History: passwords must be unique and must not be reused within 9 previous passwords.
3.2. Length: passwords should be at least 9 characters long.
3.3. Complexity: passwords must be complex and include a combination of at least 3 of the following:
- Lowercase
- Uppercase
- Numbers
- Special characters such as "!@#$%^&*(){}[]"
3.4. Custom banned password list: a custom banned password list containing 1000 words was implemented. The list is applied to all users when they change or reset their password.
4. Password Management
4.1. Change Frequency
Passwords will expire and must be changed every 30 days.
Maximum password age - set to 30 days
Minimum password age - set to 3 days
4.2. Account lockout
Account lockout duration - set to 0 minutes
Account lockout threshold - set to 5 invalid logon attempts
Reset account lockout counter after - set to 10 minutes
4.3. Password Protected Screensavers
Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked, they can press the CTRL-ALT-DEL keys and select "Lock Computer".
5. Password Sharing and Security
5.1. Sharing
Never share passwords with colleagues, third-party service providers or anyone else. Each User should have a unique login credential.
5.2. Security
- Never write passwords down.
- Never send a password through email.
- Never include a password in a non-encrypted stored document.
- Never tell anyone your password.
- Never reveal your password over the telephone.
- Never reveal or hint at your password on a form on the internet.
- Never use the "Remember Password" feature of application programs such as Internet Explorer, your email program, or any other program.
- Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http://
- Report any suspicion of your password being broken to IT.
- If anyone asks for your password, refer them to your IT helpdesk.
- Don't use common acronyms as part of your password.
- Don't use common words or reverse spelling of words in part of your password.
- Don't use names of people or places as part of your password.
- Don't use part of your login name in your password.
6. Standard Violations
Password security is critical to the security of the organization and everyone, thus employees that do not adhere to this standard may be subject to corrective action which may include disciplinary proceedings.