Password Requirements & Policies

To maintain a secure environment, all users within the organisation must adhere to the following password requirements and policies. These measures are designed to reduce the risk of compromised accounts and unauthorized access.

Password Requirements

1. Minimum Length → Passwords must be at least 12 characters long.

2. Complexity → Passwords must include:

   • At least 1 uppercase letter (A–Z)

   • At least 1 lowercase letter (a–z)

   • At least 1 number (0–9)

   • At least 1 special character (e.g., ! @ # $ % ^ & *)

3. Disallowed Passwords →Common or easily guessable passwords (e.g., Password123, admin, welcome).

   • Previously breached or compromised passwords.

   • Usernames, personal information (e.g., date of birth, phone number).

4. Uniqueness → New passwords must be significantly different from the last used passwords.

Password Policies

1. Expiration

   • Passwords must be updated every 90 days.

2. Multi-Factor Authentication (MFA)

   • All accounts must enable MFA for an additional layer of protection.

   • Supported options: TOTP Authenticator Apps (Google Authenticator, Authy, Microsoft Authenticator) or Email OTP.

3. Account Lockout

   • Accounts will be locked after 5 consecutive failed login attempts.

   • Locked accounts can only be reactivated after a cooldown period or by contacting the IT/Security team.

4. Password Storage & Sharing

   • Passwords must never be shared between users.

   • Passwords should not be written down or stored in unsecured files.

   • Usage of approved password managers is encouraged.

5. Privileged Accounts

   • Admin and elevated access accounts must use stronger unique passwords (longer than 16 characters recommended).

   • These accounts must rotate passwords more frequently (every 60 days).

6. Incident Reporting

   • If a password compromise is suspected, users must immediately change their password and report the incident to the IT/Security team.