1. Password Policy
Effective: 3/1/2014
Updated: N/A
Pages: 3
I. Overview
a. Passwords are an important aspect of computer security. Operating without a password
may result in unauthorized access to sensitive client information or exploitation of
HAVEN’s resources, whether purposefully or accidentally. All users are responsible for
taking the appropriate steps, as outlined below, to select and secure their passwords.
II. Purpose
a. The purpose of this policy is to establish a standard for creation of passwords, the
protection of those passwords, and the frequency of change.
III. Policy
a. General
i. All user-level passwords (e.g., email, web applications, desktop computer, etc.)
must be changed at least every six months.
ii. All passwords must be part of an administered global password management
database available to the Executive Director and/or Direct Service Supervisor.
iii. All user-level and system-level passwords must conform to the guidelines
described below.
b. Guidelines
i. General Password Construction Guidelines
1. All users at HAVEN should be aware of how to select strong passwords.
2. Strong passwords have the following characteristics:
a. Lower case characters
b. Upper case characters
c. Numbers
d. Punctuation
e. “Special” characters (e.g. @#$%^&*()_+|~-=`{}[]:";'<>/ etc)
f. Contain at least fifteen alphanumeric characters.
2. 3. Try to create passwords that can be easily remembered. One way to do
this is create a password based on a song title, affirmation, or other
phrase. For example, the phrase might be: "I got the eye of the tiger"
and the password could be: "IgTEoftT!" or "IgotTIoftT~" or some other
variation.
ii. Password Protection Standards
1. Always use different passwords for HAVEN accounts from other non-
<Company Name> access (e.g., personal ISP account, option trading,
benefits, etc.).
2. Always use different passwords for various HAVEN access needs
whenever possible.
3. Do not share HAVEN passwords with anyone, including administrative
assistants or secretaries. All passwords are to be treated as sensitive,
confidential HAVEN information.
4. Passwords should never be written down or stored on-line without
encryption.
5. Do not reveal a password in email, chat, or other electronic
communication.
6. Do not speak about a password in front of others.
7. Do not hint at the format of a password (e.g., "my family name")
8. Do not reveal a password on questionnaires or security forms
9. If someone demands a password, refer them to this document and
direct them to the Information Security Department.
10. Always decline the use of the "Remember Password" feature of
applications (e.g., Eudora, OutLook, Netscape Messenger).
iii. If an account or password compromise is suspected, report the incident to the
Information Security Department.
c. Enforcement
i. Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. Password cracking or
guessing may be performed on a periodic or random basis by the Information
Security Department or its delegates. If a password is guessed or cracked during
these exercises, the user/owner will be required to change it.