Password Policy
Passwords are essential in authenticating individuals and with that to data protection. It is extremely important that a password is difficult to guess or generate. This policy defines what rules apply to identity systems, protecting your identity.
New / first password
A new password provided to a user is supposed to be a temporary password. Temporary passwords must always be updated by the user with a new password immediately after the first entry before any other system functionality can be used.
Password reset
After a password reset, a new temporary password will be provided to a user. Temporary passwords must always be updated by the user with a new password immediately after the first entry before any other system functionality can be used.
Password length
A password must be at least 15 characters long.
Password complexity
A password must contain a combination of:
- lower case characters
- upper case characters
- numbers
- special characters Where three (3) of the four (4) character types must appear at least one (1) time.
Password expiration
Passwords should expire every 180 days after the last change.
Password similarity
A new password can not be similar for more than 80% to the previous one.
Password Encryption
Whenever a password is communicated or persisted, meaning send (in transit) or stored (in rest), the password should be encrypted according according to industry standards, being SHA-256. In rest, asymmetrical encryption (hashing) is used, where in transit symmetrical encryption is allowed.
Password sharing
It is explicitly forbidden to share or write unsecured passwords.
Account lockout
After more than ten (10) tries, the identity account should lockout for a defined period. Preferably the lockout time will be an increasing amount of time with each failure.