Password Policy
Version: 13.5 | Effective Date: September 1, 2019
- Document Created: August 8, 2019
- Last Reviewed: February 20, 2025
- Next Review Date: February 2026
- Approved By: Chief Technology Officer
- Policy Owner: Security Officer
13.1 Purpose
This Password Policy establishes requirements for creating, managing, and protecting authentication credentials to prevent unauthorized access while balancing security with usability.
13.2 Scope
Applies to all passwords and authentication credentials for Blue Whale Apps systems including user accounts, administrative accounts, service accounts, API keys, and any system requiring password authentication.
13.3 Password Complexity Requirements
Minimum Requirements:
- Length: Minimum 12 characters
- Composition: Combination of uppercase (A–Z), lowercase (a–z), numbers (0–9), and special characters (!@#$%^&*()_+-=|;:,.<>?)
Prohibited: Dictionary words, sequential characters (123456), repeated characters (aaaaaa), company name, username derivatives, previously used passwords (last 12 remembered), known compromised passwords.
13.4 Password Rotation
- Standard User Accounts: Every 180 days (6 months)
- Administrative Accounts: Every 90 days (quarterly)
- Service Accounts: Annually or upon personnel changes
- Emergency Accounts: After each use
System-generated reminders at 30, 14, 7, and 3 days before expiration. Accounts locked upon expiration until password changed.
13.5 Multi-Factor Authentication (MFA)
Required For: All system access (no exceptions), administrative functions, remote access/VPN, customer data access, cloud administration, email and collaboration tools, development and production environments.
Methods: Hardware security keys (preferred), authenticator apps (Microsoft Authenticator, Google Authenticator, Duo), push notifications, SMS codes (least preferred).
Enforcement: Cannot be disabled without Security Officer approval, failed attempts trigger lockout, lost devices reported immediately, backup methods configured.
13.6 Password Protection
Passwords must be kept strictly confidential, never shared, not written down on paper/sticky notes, not stored in unencrypted files or email, not saved in browsers on shared computers, not transmitted via email/IM/text, and not reused across systems.
Prohibited: Sharing passwords, writing on desk/monitor, storing in unencrypted spreadsheets, emailing passwords, using same password for work and personal, allowing others to use credentials, logging in on behalf of another.
13.7 Account Lockout
Accounts automatically lock after 5 consecutive failed authentication attempts (3 for administrative accounts). Lockout duration: 30 minutes automatic unlock or immediate unlock by IT/Security. Lockout events logged and monitored.
13.8 Password Reset
Self-Service: Automated portal with identity verification, security questions or email/SMS verification, MFA verification, password history prevents reuse.
IT-Assisted: Identity verification required, manager approval for sensitive accounts, temporary password expires in 24 hours, force change at next login.
13.9 Administrative and Privileged Accounts
- Minimum 14 characters
- 90-day rotation
- Separate privileged from standard accounts
- Additional MFA for privileged actions
- Enhanced logging and just-in-time access
- Approval workflow, time-limited sessions, automatic timeout
- No shared accounts
13.10 Suspected Compromise
If compromise suspected: Immediately change password, report to Security Officer, review recent activity, check for unauthorized access, enable additional monitoring, investigate source.
For confirmed compromise: Force reset across affected accounts, review access logs, assess data accessed, follow Incident Response Policy, notify affected parties.