PASSWORD CONSTRUCTION & SECURITY POLICY

OVERVIEW

Strong passwords are the first line of defense in protecting a business’ data and customer information. An effective password policy is a set of rules that govern password creation and prevent sensitive data from being stolen.

PURPOSE

The purpose of this Policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

POLICY

It is the policy of Kredit Financial Inc. (Kredit) to develop and implement standards for password composition, frequency of password change, and password security to mitigate the risk of a data breach.

SCOPE

This Policy applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Technology Officer (CTO) is responsible for establishing password standards that ensure the security of Kredit’s information and conform to industry best practice standards. The CTO is also responsible for reviewing this Policy on an annual basis.

PROCEDURE

PASSWORD CONSTRUCTION

Passwords must contain a minimum of eight (8) characters.

• The more characters, the stronger the password. Kredit encourages the use of passphrases that are easy to remember and meet strength requirements. Examples of passphrases include, “It’s time for vacation” or “block-curious-sunny-leaves.”

• Poor or weak passwords have the following characteristics:

  • Contain less than eight characters

  • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters

  • Contain number patterns such as “aaabbb,” “zyxwvuts,” or “12345”

  • Are some version of “Welcome123,” “Password123,” or “Changeme123”

PASSWORD SECURITY (BUSINESS USERS / KREDIT EMPLOYEES):

• After ten (10) consecutive password failure attempts, user accounts are disabled for ninety (90) minutes.

• User accounts are disabled after ninety (90) days of inactivity.

• Users must change their password every ninety (90) days.

• When resetting a password, users are prevented from using the last four (4) passwords previously used.

• Under no circumstances are passwords to be spoken, written, or shared through electronic communication (i.e., email, chat, etc.), or shared or known to anyone other than the user involved.

• If a user has reason to believe that their password has been compromised, Kredit’s CTO must be notified immediately to have it reset.

• To aide users in maintaining multiple passwords, Kredit encourages the use of Password Manager software that is authorized by the organization.

• The "Remember Password" feature of applications should not be used (for example, web browsers).

• All Kredit employees are required to take the Passwords security awareness training module on an annual basis.

• Application Developers are required to take the following additional security precautions:

  • Applications must support authentication of individual users, not groups.

  • Applications must not store passwords in clear text or in any easily reversible form.

  • Applications must not transmit passwords in clear text over the network.

  • Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

PASSWORD SECURITY (CONSUMERS):

• Passwords must contain a minimum of eight (8) characters.

• Users are prevented from using the last four (4) passwords previous used.

• After ten (10) consecutive password failure attempts, user accounts are disabled for ninety (90) minutes.

COMMUNICATION

This Policy shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Information Security Policies in Google Drive for reference purposes.

VIOLATIONS

Failure to comply with this Policy may result in the compromise of Kredit data.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Password Construction Guidelines