Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace: Determine Which Critical Appraisal to Use
wiki:policies:password

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:password [2022/08/31 18:55]
peaceolaniran 		wiki:policies:password [2024/01/31 18:42] (current)
katcow
Line 15: Line 15:
 ===== Policy ===== ===== Policy =====
  
-** <font 18px/inherit;;inherit;;inherit>Internal Passwords</font>  **+==== Internal Company Passwords ====
  
-Concerns rules and practices internally at NK+**Application Passwords** - All programs, including applications developed internally by Nested Knowledge must be password protected.
  
-=== Application Passwords ===+**Changing Passwords **- All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties.
  
-All programs, including applications developed internally by Nested Knowledge must be password protected.+**Sharing Passwords** - Passwords must be kept confidential and may not be shared among users. Users are prohibited from recording passwords in an unencrypted medium, like a notetaking application, mobile phone, or piece of paper. Company credentials, including work email and other work accounts, may NEVER be used on personal websites.
  
-=== Changing Passwords ===+**Password Storage -** Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls 
 +==== Password Complexity ====
  
-All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties.+Passwords must:
  
-=== Sharing Passwords ===+  * be at least 12 characters long 
 +  * contain a mix of at least three of the following characters: 
 +      * uppercase 
 +      * lowercase 
 +      * numeric 
 +      * non-alphanumeric 
 +  * must not match your user name or email
  
-Passwords must be kept confidential and may not be shared among users. Users are prohibited from recording passwords in an unencrypted medium, like a notetaking application, mobile phone, or piece of paper.+=====    Application Passwords    =====
  
-=== Password Storage === +**Application Passwords**  All programs, including third party purchased software and applications developed internally by Nested Knowledge must be password protected.
- +
-Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls +
- +
-** <font 20px/inherit;;inherit;;inherit>External Passwords</font>  ** +
- +
-Concerns rules and practices for users authenticating to NK software +
- +
-**Application Passwords** +
- +
-All programs, including third party purchased software and applications developed internally by Nested Knowledge must be password protected.+
  
 === User Authentication === === User Authentication ===
  
 All systems will require a valid user ID and password. All unnecessary operating system or application user IDs not assigned to an individual user will be deleted or disabled. The use of a four digit pin or secret questions is not acceptable as an authentication method. All systems will require a valid user ID and password. All unnecessary operating system or application user IDs not assigned to an individual user will be deleted or disabled. The use of a four digit pin or secret questions is not acceptable as an authentication method.
 +
 +As described in our [[:wiki:policies:dev|Secure Development Policy]], Nested Knowledge does not manage user passwords or authentication (handled by [[https://auth0.com/|Auth0]] and Auth0 Lock). All communications with Auth0 from the client are encrypted (TSL), ensuring passwords are not communicated in plain text. Passwords stored by Auth0 are similarly salted & encrypted (bcrypt). Communications relayed by the client are similarly encrypted & RSA signed.
  
 === Choosing Passwords === === Choosing Passwords ===
Line 51: Line 50:
 All user-chosen passwords must contain at least one alphabetic character, one number, and one special character. Passwords must contain a minimum of 8 characters. All users must be automatically forced to change their passwords appropriate to the classification level of information. To obtain a new password, a user must present suitable identification. Passwords requirements are set by the respective systems—for instance, Google Accounts and Outh2, and are subject to change. All user-chosen passwords must contain at least one alphabetic character, one number, and one special character. Passwords must contain a minimum of 8 characters. All users must be automatically forced to change their passwords appropriate to the classification level of information. To obtain a new password, a user must present suitable identification. Passwords requirements are set by the respective systems—for instance, Google Accounts and Outh2, and are subject to change.
  
-=== Changing Passwords ===+==== General Password Guidelines ====
  
-All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties. +Applies to Nested Knowledge internal passwords and passwords for all Nested Knowledge users.
- +
-=== Sharing Passwords === +
- +
-Passwords must be kept confidential and may not be shared among users. Users are prohibited from recording passwords in an unencrypted medium, like a notetaking application, mobile phone, or piece of paper. +
- +
-** <font 20px/inherit;;inherit;;inherit>General</font>  ** <font 14px/inherit;;inherit;;inherit>Applies to NK internal passwords and passwords for all NK users.</font>+
  
 === Password Expiration Time === === Password Expiration Time ===
  
-The company does not currently have a Password Expiration Time policy; Google and Auth0 may require users to change their passwords at required intervals, but the company defers to these provider's policies with respect to password expiration.+The company does not currently have a Password Expiration Time policy; Google and Auth0 may require users to change their passwords at required intervals, but the company defers to these provider's policies with respect to password expiration.See [[https://auth0.com/docs/secure/attack-protection/brute-force-protection.|https://auth0.com/docs/secure/attack-protection/brute-force-protection.]]
  
 The company will review the Password Expiration Time policy periodically to ensure that long-term exposures are minimized. The company will review the Password Expiration Time policy periodically to ensure that long-term exposures are minimized.
Line 70: Line 63:
  
 The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After multiple unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three minutes, or © if dial-up or other external network connections are involved. The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After multiple unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three minutes, or © if dial-up or other external network connections are involved.
 +
 +=== Changing Passwords ===
 +
 +All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties.
 +
 +=== Sharing Passwords ===
 +
 +Passwords must be kept confidential and may not be shared among users. Users are prohibited from recording passwords in an unencrypted medium, like a notetaking application, mobile phone, or piece of paper.
  
 ===== Revision History ===== ===== Revision History =====
  
 ^Author^Date of Revision/Review^Comments/Description| ^Author^Date of Revision/Review^Comments/Description|
-|K. Cowie|11/17/2021|Initial draft done+|K. Cowie|10/06/2023|Minor revisions
-|K. Kallmes|11/19/2021|Draft approved|+|K. Kallmes|11/19/2021|Initial Draft approved
 +|P. Olaniran|08/30/2022|Revised draft| 
 +|K. Cowie|09/01/2022|Draft approved| 
 +|K. Holub|01/26/2023|Added password complexity requirements|
  
 [[:wiki:policies|Return to Policies]] [[:wiki:policies|Return to Policies]]
  
  
wiki/policies/password.1661972156.txt.gz · Last modified: 2022/08/31 18:55 by peaceolaniran

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki