Password Policy
Username and passwords are utilized in Externis to facilitate access to Externis IT resources. They also protect Externis data from access from unauthorized individuals both internally and externally.
This policy applies to all Externis employees or Third parties who are issued with usernames and passwords for any Externis IT System or device.
This policy applies to all username and password pairs on all devices, systems and applications that are part of the Externis network that provide access to Externis owned information.
Issue of accounts and passwords
All system and application accounts and passwords must be issued by IT Services. Once a password has been issued full responsibility for that account and associated, password passes to the user.
Password Sharing Prohibition
Passwords must not be written down and left in a place where unauthorized persons might discover them.
Password Changes
Password changes must only be made when requested in person by the appropriate individual or when requested by a trusted party as defined by IT Services. No exceptions to this policy are allowed.
Minimum Password Length
The length of passwords must always be checked automatically at the time that users construct or select them. All IT systems must require passwords of at least eight (8) characters.
Complex Passwords Required
All computer system users must choose passwords that cannot be easily guessed. This also means that passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places etc… must not be used.
Cyclical Passwords Prohibited
Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. For example, users must not employ passwords like "JANUARY" in January, "FEBRUARY" in February, etc.
User-Chosen Passwords Must Not Be Reused
Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed.
Password Ageing
Passwords should be changed periodically. Network managers, system administrators or application administrators should select an appropriate time frame for changing passwords.
System Compromise
Whenever an unauthorized party has compromised a system, IT Services must immediately change every password on the involved system. Even suspicion of a compromise likewise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorized modifications.
Storage of Passwords in Readable Form
Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them.
Changing Vendor Default Passwords
All vendor-supplied default passwords (default passwords supplied with routers, switches or software such as operating systems and databases) must be changed before any computer or communications system is used.
Encryption
Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over communications system.
Misuse of Passwords
Any abuse of passwords must be reported to IT Services who will advise on what follow-up action to take. Passwords must always be changed if it is known or suspected that another person has become aware of the password. Where a third party is found in possession of a user’s password that account will be disabled. In this situation the valid user should report this to IT Services.