Policies and Procedures
  • Kredit Policies and Procedures
  • Human Resources Policies
    • Background Screening Policy
    • Hiring Policy
    • Training Policy
  • Information Security Policies
    • Acceptable Use Policy
    • Access Control Policy
    • Anti-Virus & Malware Guidelines
    • Asset Inventory and Management Policy
    • Business Continuity and Disaster Recovery Plan
    • Data Governance & Classification Guidelines
    • End User Encryption Key & Storage Guidelines
    • Firewall Guidelines and Policy
    • Internal Use of Email Policy
    • Incident Response Plan
    • Information Security Policy
    • Password Construction & Security Policy
    • Password Protection Policy
    • System & Network Monitoring and Filtering Policy
    • Vulnerability and Threat Management Policy Policy
    • Large Language Model Policy
  • Operations Policies
    • Inquiry Handling Policy and Procedure
    • Operations Security Policy
  • Regulatory Policies
    • Anti-Money Laundering & Know Your Customer Screening Policy & Procedure
    • Electronic Fund Transfer Act, Regulation E, Nacha Operating Rules, & E-Sign Act Policy & Procedure
    • Electronic Communications Policy
    • Equal Credit Opportunity Act and UDAAP Policy & Procedure
    • Fair Credit Reporting Act Permissible Purpose Policy
    • Fraud Monitoring Policy
    • Gramm-Leach Bliley Act – Safeguards Rule Policy
    • Web Content Accessibility Guidelines Policy
  • Vendor Management Policies
    • Service Provider Oversight Policy
Powered by GitBook
On this page
  • PASSWORD CONSTRUCTION & SECURITY POLICY
  • OVERVIEW
  • PURPOSE
  • POLICY
  • SCOPE
  • ROLES AND RESPONSIBILITIES
  • PROCEDURE
  • COMMUNICATION
  • VIOLATIONS
  • CHANGE SUMMARY

Was this helpful?

Export as PDF
  1. Information Security Policies

Password Construction & Security Policy

PASSWORD CONSTRUCTION & SECURITY POLICY

OVERVIEW

Strong passwords are the first line of defense in protecting a business’ data and customer information. An effective password policy is a set of rules that govern password creation and prevent sensitive data from being stolen.

PURPOSE

The purpose of this Policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

POLICY

It is the policy of Kredit Financial Inc. (Kredit) to develop and implement standards for password composition, frequency of password change, and password security to mitigate the risk of a data breach.

SCOPE

This Policy applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Technology Officer (CTO) is responsible for establishing password standards that ensure the security of Kredit’s information and conform to industry best practice standards. The CTO is also responsible for reviewing this Policy on an annual basis.

PROCEDURE

PASSWORD CONSTRUCTION

Passwords must contain a minimum of eight (8) characters.

  • The more characters, the stronger the password. Kredit encourages the use of passphrases that are easy to remember and meet strength requirements. Examples of passphrases include, “It’s time for vacation” or “block-curious-sunny-leaves.”

  • Poor or weak passwords have the following characteristics:

    • Contain less than eight characters

    • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters

    • Contain number patterns such as “aaabbb,” “zyxwvuts,” or “12345”

    • Are some version of “Welcome123,” “Password123,” or “Changeme123”

PASSWORD SECURITY (BUSINESS USERS / KREDIT EMPLOYEES):

  • After ten (10) consecutive password failure attempts, user accounts are disabled for ninety (90) minutes.

  • User accounts are disabled after ninety (90) days of inactivity.

  • Users must change their password every ninety (90) days.

  • When resetting a password, users are prevented from using the last four (4) passwords previously used.

  • Under no circumstances are passwords to be spoken, written, or shared through electronic communication (i.e., email, chat, etc.), or shared or known to anyone other than the user involved.

  • If a user has reason to believe that their password has been compromised, Kredit’s CTO must be notified immediately to have it reset.

  • To aide users in maintaining multiple passwords, Kredit encourages the use of Password Manager software that is authorized by the organization.

  • The "Remember Password" feature of applications should not be used (for example, web browsers).

  • All Kredit employees are required to take the Passwords security awareness training module on an annual basis.

  • Application Developers are required to take the following additional security precautions:

    • Applications must support authentication of individual users, not groups.

    • Applications must not store passwords in clear text or in any easily reversible form.

    • Applications must not transmit passwords in clear text over the network.

    • Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

PASSWORD SECURITY (CONSUMERS):

  • Passwords must contain a minimum of eight (8) characters.

  • Users are prevented from using the last four (4) passwords previous used.

  • After ten (10) consecutive password failure attempts, user accounts are disabled for ninety (90) minutes.

COMMUNICATION

This Policy shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Information Security Policies in Google Drive for reference purposes.

VIOLATIONS

Failure to comply with this Policy may result in the compromise of Kredit data.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Password Construction Guidelines

Event
Event Date
Event By
Date Reviewed
Reviewed By
Version

Creation and Implementation

01/10/2022

Kenny Lai, CTO

01/10/2022

Dave Hanrahan, CEO

1.0

Revision – updated format

04/03/2023

Colene McNinch, CCO

04/04/2023

Kenny Lai, CTO

1.1

PreviousInformation Security PolicyNextPassword Protection Policy

Last updated 2 years ago

Was this helpful?