The following document is intended to furnish users with general information and guidance and is not intended to replace or serve as consultation, service, or legal advice.
Password Policy Guidelines
Ultimately, all users are responsible for their own passwords. Passwords should not be shared with anyone nor should they be used in a way that is not in compliance with this policy document.
Why Do We Need a Password Policy
<Company> has information that is private and not for public consumption. It is critical to our security that our data remain protected and secure, available only to authorized users of the systems in place. Individuals are responsible for protecting their access to company information and keeping company confidentiality at the highest level. As such, users in our system are responsible for adhering to this password policy.
Individuals who are granted access to company assets will be issued an initial password. That password must be changed upon first use.
Passwords must never be shared with anyone. Nobody from <company> will ever ask you for your password. Users may not ask anyone else for their password. Passwords are to be kept confidential and any violation of this will result in <immediate termination> and you are obligated to report any behavior of this nature.
Passwords should be stored ONLY in our <name> password management system. They should never be written down anywhere.
Lost or non-working passwords can be reset by contacting IT or by logging in to: <insert password reset URL>.
What if Something Bad Happens
Mistakes happen. If you have experienced a password compromise, contact security or IT immediately. Nobody gets in trouble for making a mistake; they get in trouble for hiding a mistake.
Changed every <x> <days/months> <or>
Users must comply with multi-factor authentication (MFA). MFA compliant users will not be required to change their password on a regular basis.
Letters (uppercase and lowercase)
Other characters (limited to: <insert characters>)
May not include any part of the user’s name
May not include characters that repeat
All questions regarding this policy should be directed to: <name>, <title>, <email>, <phone>