1. Overview and scope
Passwords are used to protect systems, data, and devices. Appropriate and secure use of passwords is essential for data security. Strong passwords significantly reduce the opportunity for unauthorised access to business information resources, whereas weak passwords heighten risks greatly.
2.1. Password Creation
- All user passwords must be at least 12 characters in length. Longer passwords are strongly encouraged.
- Where possible, the use of passphrases is highly encouraged, which are passwords made up of multiple words. Examples include “let’s go jumping in the park” or “square-hilarious-cloudy-squirrels”. Passphrases are both easy to remember and meet the strength requirements.
- Passwords should not include information such as birthdates, addresses, phone numbers, or names of pets, family members, friends or fantasy characters
- Passwords should not contain common patterns such as 123, qwerty, zxcv or 999.
- Passwords should not contain common words or phrases such as ‘welcome’ or ‘password’, including variations such as ‘p@zzW0rd456’.
- Passwords must be completely unique, and not used for any other system, application, or personal account.
- Where possible, password dictionaries should be utilised to prevent the use of common and easily cracked passwords.
- Default installation passwords must be changed immediately after installation is complete.
2.2 Password Aging
- Passwords should be changed only when there is reason to believe that the password has been compromised.
2.3 Password Protection
- Passwords must not be shared with anyone (including to Web Usability staff), and must not be revealed or sent electronically.
- Passwords shall not be written down or physically stored anywhere
- When configuring password “hints,” do not hint at the format of your password (e.g., “zip + middle name”)
- Only reputable “password managers” should be used, such as LastPass, Google Password Manager
It is the responsibility of the end user to ensure enforcement with the policies above.
If you believe your password may have been compromised, please immediately report the incident to the Web Usability Database Manager on firstname.lastname@example.org and change the password.