Password Management Policy

Description

This policy is written for the benefit of end users who bristle at the thought of setting a password on more than a once-only basis. Requiring periodic password changes is a “best practice” and this policy gives you the governance teeth you need to enforce the policy.

Read on for excerts from the actual policy:

Scope

This policy applies to all _COMPANY employees, contractors, and other authorized users of the corporate network who access information resources at or for _COMPANY.

Policy

The following rules define _COMPANY’s policy governing passwords issued to authorized users to access the corporate network:

1. Users must change their passwords on a routine basis.  For security purposes, users must change their passwords as often as required by _COMPANY management and by supporting standards and procedures.
2. Users responsible for ensuring passwords remain confidential and under their control.
3. Users must not post or write passwords where others can see them.
4. Passwords must be changed every _90 days or whenever the confidentiality of the password has been compromised.
5. Enforcement of password policies will be automated.  At such a time as directed by _COMPANY management, the IT Department will utilize system policies to require users to change passwords on a regular basis and to create new passwords that conform to published standards.

Password Standard

A valid password must:
Not be the same as or too similar to your most recent _12 passwords
Be at least _8 characters long
Contain at least _1 lower case letter, _1 uppercase letter, _1 number, _1 special character