This policy is written for the benefit of end users who bristle at the thought of setting a password on more than a once-only basis. Requiring periodic password changes is a “best practice” and this policy gives you the governance teeth you need to enforce the policy.
Read on for excerts from the actual policy:
This policy applies to all _COMPANY employees, contractors, and other authorized users of the corporate network who access information resources at or for _COMPANY.
The following rules define _COMPANY’s policy governing passwords issued to authorized users to access the corporate network:
- Users must change their passwords on a routine basis. For security purposes, users must change their passwords as often as required by _COMPANY management and by supporting standards and procedures.
- Users responsible for ensuring passwords remain confidential and under their control.
- Users must not post or write passwords where others can see them.
- Passwords must be changed every _90 days or whenever the confidentiality of the password has been compromised.
- Enforcement of password policies will be automated. At such a time as directed by _COMPANY management, the IT Department will utilize system policies to require users to change passwords on a regular basis and to create new passwords that conform to published standards.
A valid password must:
Not be the same as or too similar to your most recent _12 passwords
Be at least _8 characters long
Contain at least _1 lower case letter, _1 uppercase letter, _1 number, _1 special character