Policy Owner: Managing Director

...

• 16 or more characters, including one uppercase letter, one lowercase letter, a special character, and a number

• Systems shall be configured to remember and prohibit reuse of passwords for last 16 passwords used.

• Passwords shall be set to lock out after 6 failed attempts

• Passwords shall expire after 90 days

• Initial passwords must be set to a unique value and changed after first log in

• For manual password resets, a user’s identity must be verified prior to changing passwords

• Do not limit the permitted characters that can be used

• Do not limit the length of the password to anything below 64 characters

• Do not use secret questions (place of birth, etc) as a sole password reset requirement

• Require email verification of a password change request

• Require the current password in addition to the new password during password change

• Verify newly created passwords against common passwords lists or leaked passwords databases

• Check existing user passwords for compromise regularly

• Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function

• Enforce appropriate account lockout and brute-force protection on account access

System and Application Access

...

...