Passwords are essential in authenticating individuals and with that to data protection. It is extremely important that a password is difficult to guess or generate. This policy defines what rules apply to identity systems, protecting your identity.
New / first password
A new password provided to a user is supposed to be a temporary password. Temporary passwords must always be updated by the user with a new password immediately after the first entry before any other system functionality can be used.
After a password reset, a new temporary password will be provided to a user. Temporary passwords must always be updated by the user with a new password immediately after the first entry before any other system functionality can be used.
A password must be at least 15 characters long.
A password must contain a combination of:
- lower case characters
- upper case characters
- special characters Where three (3) of the four (4) character types must appear at least one (1) time.
Passwords should expire every 180 days after the last change.
A new password can not be similar for more than 80% to the previous one.
Whenever a password is communicated or persisted, meaning send (in transit) or stored (in rest), the password should be encrypted according according to industry standards, being SHA-256. In rest, asymmetrical encryption (hashing) is used, where in transit symmetrical encryption is allowed.
It is explicitly forbidden to share or write unsecured passwords.
After more than ten (10) tries, the identity account should lockout for a defined period. Preferably the lockout time will be an increasing amount of time with each failure.