Password & Account Management is needed to establish clear requirements for creating and managing passwords and accounts, including requirements for complexity, length and account security. By implementing this Standard, organizations can significantly reduce the risk of a data breach or security incident caused by weak passwords and account management practices.

---

• Assumptions:

  Section titled “Assumptions:”

• N/A

• Risks:

  Section titled “Risks:”

• Failure to follow the password standard can lead to compromised accounts and an increased risk of a cyber-attack to a company’s environment.

• Dependencies:

  Section titled “Dependencies:”

• Blacklisting and monitoring may require additional licensing or 3rd party solutions

• QA/Audit Procedure (TBD)

• Accounts that cannot comply with this Standard will be registered in cIT’s CSOC Risk Registry

---

• This Standard is a requirement for all cIT staff. Failure to adhere to this Standard may result in disciplinary action.

• Applicability:

• End-User/Staff Passwords & Accounts

• Client Managed Accounts

• Administrative Accounts

• Credential Controls & Monitoring (Implementation TBD)

---

• Incident Response

• If there is evidence or a suspected compromise to a password or an account, you must follow cIT’s Incident Response Process KB00003848 [retired]

• Password Management (All Account Types)

• Length: Passwords will have a minimum length of 8 characters for an

  account with MFA and 14 characters for a password only account.

• Complexity: Passwords will be composed of a mix of uppercase and lowercase letters, numbers, and special characters: 1 capital, 1 lowercase, 1 number, 1 special character. Passwords for Administrative or Service Accounts will be randomly generated using 1Password or another password generation tool.

• Blacklist: Passwords will not contain common or easily guessable

  phrases, such as “password” or “123456,” and will not be based on personal information like names or birthdates.

• Cyclical Passwords: Users are prohibited from constructing fixed passwords by combining a set of characters that do not change, with a set of characters that predictably change. In these prohibited passwords, characters that change are typically based on the month, a department, a project, or some other easily-guessed factor.

• For example, users must not employ passwords like “X34JAN” in January, “X34FEB” in February, etc.

• Password Storage: Any password, if stored, must only be stored in 1Password. It is prohibited to store passwords in any other system.

• Password Sharing Prohibition: Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user.

• Display and Printing of Passwords: The display and printing of passwords will be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. This includes, and is not limited to, passwords written on a piece of paper, where the paper might or might not be stored in a secure (under the keyboard, inside a drawer, in purse or wallet, etc.) location.

• Encryption of Passwords: Passwords must always be encrypted (non-clear text) when held in storage for any period of time (backup media, batch files, automatic log-in scripts, software macros, etc.) or when transmitted over networks.

• Protection of Passwords Sent Through the Mail: If sent by regular mail, e-mail or similar physical distribution systems, passwords must be sent separately from user-IDs. These mailings must have no markings indicating the nature of the enclosure. Passwords must also be concealed inside an opaque envelope that will readily reveal tampering.

• Password for personal use only: Users are responsible for all activity performed with their personal user-IDs. User-IDs may not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their user- IDs. Similarly, users are forbidden from performing any activity with IDs belonging to other users.

• Client & External Account and Password Management

• Management of client passwords: When obtaining a client’s passwords, password must be transmitted through an encrypted manner, for example: an encrypted email. Passwords must not be obtained on a piece of paper, post-it notes, unencrypted email, or unencrypted document or file. Passwords will only be available to the owners, administrators or any individual that is explicitly authorized. If unsure about providing passwords, clear it with your manager first.

• When providing a new or reset password to a user, ensure the user is required to change the password on next login.

• If a password has been obtained during the course of an incident or request the password will be reset immediately afterwards by the user or the account set to require a password change on next login.

• Changing Vendor Default Passwords: All vendor-supplied default passwords must be changed before the system is used for business operations.

• External Accounts (websites, portals, social networking): Create a shared mailbox to be used with a unique name and each website or external service will have a unique password and be documented in 1Password.

• Example itsupport@client.com would be forwarded to client’s IT admin mailbox or cIT SR or to whatever mailbox is normally used for managing the client’s environment.

• Administrator & Service Accounts

• Administrator account names: Administrator account names must be unique, default or shared names like administrator, admin, ctac, centrexadmin must not be used.

• Default Admin accounts: Default admin accounts must be disabled when possible. If not possible, change password to a very strong, complex password and store in 1Password.

• MFA: Administrator account are required to use MFA where supported by the system.

• Service accounts: Service accounts must have unique usernames for each service and passwords must be set and forget. Names must be unique across all clients. Account description must be updated with the service or purpose of the account and must be documented in Connectwise or Dreamtsoft

• Network equipment credentials: Usernames can be shared on network devices for the client but each password needs to be unique on each device (enable password needs to be unique from initial password).

• Email Services: Domain & Global Admin accounts will not have mailboxes or use email services. Admin accounts with email services will be tracked in cIT’s CSOC Risk Registry for remediation planning.

• Credential Controls & Monitoring

• Password expiration: Passwords will be changed immediately when there is an indication of a possible compromise with a one-year expiration time.

• Account lockout: Temporary account lockout of 15 minutes after 5 consecutive failed attempts and a permanent account lockout (IT reset required) after 10 consecutive failed attempts.

• Monitor Failed Login Attempts: Alert key personnel when above login limit is reached.

• Suspend Accounts on Non-Use: Automatically suspend the account after 45 days without a valid login.

• Session Lock When Idle: Set the system to lock when there is 15 minutes or less with no user activity.

---

• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

• https://www.cisecurity.org/insights/white-papers/cis-password-policy-guide

---

• N/A

Note: Please add KB relationships to core process, process, SOPs or other WIs on the right.