Password Policy
1.0 Overview
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of LeapFinance’s entire network. As such, all LeapFinance employees (including contractors and vendors with access to LeapFinance systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their password.
2.0 Purpose
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any LeapFinance facility, has access to the LeapFinance network
-
General Policy
-
All system-level passwords (e.g., root enable, network administrator, application administration accounts, etc.) must be changed at least every 90 days.
-
All production system-level passwords must be part of the Information Security Administration's global password management database.
- All user-level passwords (email, online, laptop computer, etc.) must be updated at least every 90 days and cannot be reused.
- Passwords must not be inserted into email messages or other forms of electronic communication.
- All user-level and system-level passwords must follow the rules outlined below.
- Guidelines
-
Password Construction Requirements
Be a minimum length of eight (8) characters on all systems.
Not be a dictionary word or proper name.
Not be the same as the User ID.
Expire within a maximum of 90 calendar days.
Not be identical to the previous ten (10) passwords.
Not be transmitted in the clear or plaintext outside the secure location.
Not be displayed when entered.
Ensure passwords are only reset for authorized users.
Password Deletion
All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following:
When a user retires, quits, is reassigned, released, dismissed, etc.
Default passwords shall be changed immediately on all equipment.
Contractor accounts, when no longer needed to perform their duties.
Password Protection Standards
Do not use your user ID as your password. Do not share LeapFinance passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential LeapFinance information.
Here is a list of don'ts.”
Don’t reveal a password over the phone to anyone
Don’t reveal a password in an email message
Don't talk about a password in front of others
Don’t hint at the format of a password (e.g., “my family name”)
Don’t reveal a password on questionnaires or security forms
Don’t share a password with family members
Don’t reveal a password to a co-worker while on vacation
Don’t use the "Remember Password" feature of applications
Don’t write passwords down and store them anywhere in your office.
Don’t store passwords in a file on ANY computer system unencrypted.