sr2/www.sr2.uk
5
0
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
www.sr2.uk/static/policies/password_auth/index.html
irl f66adc0b65
All checks were successful
ci / build_and_publish (push) Successful in 23s
Details
feat: adds some draft policies
2026-04-22 11:54:58 +01:00

2281 lines
No EOL
69 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>Passwords and Authentication Policy</title>
<style data-fill-with="stylesheet">/******************************************************************************
* Style sheet for the W3C specifications *
*
* Special classes handled by this style sheet include:
*
* Indices
* - .toc for the Table of Contents (<ol class="toc">)
* + <span class="secno"> for the section numbers
* - #toc for the Table of Contents (<nav id="toc">)
* - ul.index for Indices (<a href="#ref">term</a><span>, in §N.M</span>)
* - table.index for Index Tables (e.g. for properties or elements)
*
* Structural Markup
* - table.data for general data tables
* -> use 'scope' attribute, <colgroup>, <thead>, and <tbody> for best results !
* -> use <table class='complex data'> for extra-complex tables
* -> use <td class='long'> for paragraph-length cell content
* -> use <td class='pre'> when manual line breaks/indentation would help readability
* - dl.switch for switch statements
* - ol.algorithm for algorithms (helps to visualize nesting)
* - .figure and .caption (HTML4) and figure and figcaption (HTML5)
* -> .sidefigure for right-floated figures
* - ins/del
* -> ins/del.c### for candidate and proposed changes (amendments)
*
* Code
* - pre and code
*
* Special Sections
* - .note for informative notes (div, p, span, aside, details)
* - .example for informative examples (div, p, pre, span)
* - .issue for issues (div, p, span)
* - .advisement for loud normative statements (div, p, strong)
* - .annoying-warning for spec obsoletion notices (div, aside, details)
* - .correction for "candidate corrections" (div, aside, details, section)
* - .addition for "candidate additions" (div, aside, details, section)
* - .correction.proposed for "proposed corrections" (div, aside, details, section)
* - .addition.proposed for "proposed additions" (div, aside, details, section)
*
* Definition Boxes
* - pre.def for WebIDL definitions
* - table.def for tables that define other entities (e.g. CSS properties)
* - dl.def for definition lists that define other entitles (e.g. HTML elements)
*
* Numbering
* - .secno for section numbers in .toc and headings (<span class='secno'>3.2</span>)
* - .marker for source-inserted example/figure/issue numbers (<span class='marker'>Issue 4</span>)
* - ::before styled for CSS-generated issue/example/figure numbers:
* -> Documents wishing to use this only need to add
* figcaption::before,
* .caption::before { content: "Figure " counter(figure) " "; }
* .example::before { content: "Example " counter(example) " "; }
* .issue::before { content: "Issue " counter(issue) " "; }
*
* Header Stuff (ignore, just don't conflict with these classes)
* - .head for the header
* - .copyright for the copyright
*
* Outdated warning for old specs
*
* Miscellaneous
* - .overlarge for things that should be as wide as possible, even if
* that overflows the body text area. This can be used on an item or
* on its container, depending on the effect desired.
* Note that this styling basically doesn't help at all when printing,
* since A4 paper isn't much wider than the max-width here.
* It's better to design things to fit into a narrower measure if possible.
*
* - js-added ToC jump links (see fixup.js)
*
******************************************************************************/
/* color variables included separately for reliability */
/******************************************************************************/
/* Body */
/******************************************************************************/
html {
}
body {
counter-reset: example figure issue;
/* Layout */
max-width: 50em; /* limit line length to 50em for readability */
margin: 0 auto; /* center text within page */
padding: 1.6em 1.5em 2em 50px; /* assume 16px font size for downlevel clients */
padding: 1.6em 1.5em 2em calc(26px + 1.5em); /* leave space for status flag */
/* Typography */
line-height: 1.5;
font-family: sans-serif;
widows: 2;
orphans: 2;
word-wrap: break-word;
overflow-wrap: break-word;
hyphens: auto;
color: black;
color: var(--text);
background: white top left fixed no-repeat;
background: var(--bg) top left fixed no-repeat;
background-size: 25px auto;
}
/******************************************************************************/
/* Front Matter & Navigation */
/******************************************************************************/
/** Header ********************************************************************/
div.head { margin-bottom: 1em; }
div.head hr { border-style: solid; }
div.head h1 {
font-weight: bold;
margin: 0 0 .1em;
font-size: 220%;
}
div.head h2 { margin-bottom: 1.5em;}
/** W3C Logo ******************************************************************/
.head .logo {
float: right;
margin: 0.4rem 0 0.2rem .4rem;
}
.head img[src*="logos/W3C"] {
display: block;
border: solid #1a5e9a;
border: solid var(--logo-bg);
border-width: .65rem .7rem .6rem;
border-radius: .4rem;
background: #1a5e9a;
background: var(--logo-bg);
color: white;
color: var(--logo-text);
font-weight: bold;
}
.head a:hover > img[src*="logos/W3C"],
.head a:focus > img[src*="logos/W3C"] {
opacity: .8;
}
.head a:active > img[src*="logos/W3C"] {
background: #c00;
background: var(--logo-active-bg);
border-color: #c00;
border-color: var(--logo-active-bg);
}
/* see also additional rules in Link Styling section */
/** Copyright *****************************************************************/
p.copyright,
p.copyright small { font-size: small; }
/** Back to Top / ToC Toggle **************************************************/
@media print {
#toc-nav {
display: none;
}
}
@media not print {
#toc-nav {
position: fixed;
z-index: 3;
bottom: 0; left: 0;
margin: 0;
min-width: 1.33em;
border-top-right-radius: 2rem;
box-shadow: 0 0 2px;
font-size: 1.5em;
}
#toc-nav > a {
display: block;
white-space: nowrap;
height: 1.33em;
padding: .1em 0.3em;
margin: 0;
box-shadow: 0 0 2px;
border: none;
border-top-right-radius: 1.33em;
color: #707070;
color: var(--tocnav-normal-text);
background: white;
background: var(--tocnav-normal-bg);
}
#toc-nav > a:hover,
#toc-nav > a:focus {
color: black;
color: var(--tocnav-hover-text);
background: #f8f8f8;
background: var(--tocnav-hover-bg);
}
#toc-nav > a:active {
color: #c00;
color: var(--tocnav-active-text);
background: white;
background: var(--tocnav-active-bg);
}
#toc-nav > #toc-jump {
padding-bottom: 2em;
margin-bottom: -1.9em;
}
/* statusbar gets in the way on keyboard focus; remove once browsers fix */
#toc-nav > a[href="#toc"]:not(:hover):focus:last-child {
padding-bottom: 1.5rem;
}
#toc-nav:not(:hover) > a:not(:focus) > span + span {
/* Ideally this uses :focus-within on #toc-nav */
display: none;
}
#toc-nav > a > span + span {
padding-right: 0.2em;
}
}
/** ToC Sidebar ***************************************************************/
/* Floating sidebar */
@media screen {
body.toc-sidebar #toc {
position: fixed;
top: 0; bottom: 0;
left: 0;
width: 23.5em;
max-width: 80%;
max-width: calc(100% - 2em - 26px);
overflow: auto;
padding: 0 1em;
padding-left: 42px;
padding-left: calc(1em + 26px);
color: black;
color: var(--tocsidebar-text);
background: inherit;
background-color: #f7f8f9;
background-color: var(--tocsidebar-bg);
z-index: 1;
box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
box-shadow: -.1em 0 .25em var(--tocsidebar-shadow) inset;
}
body.toc-sidebar #toc h2 {
margin-top: .8rem;
font-variant: small-caps;
font-variant: all-small-caps;
text-transform: lowercase;
font-weight: bold;
color: gray;
color: hsla(203,20%,40%,.7);
color: var(--tocsidebar-heading-text);
}
body.toc-sidebar #toc-jump:not(:focus) {
width: 0;
height: 0;
padding: 0;
position: absolute;
overflow: hidden;
}
}
/* Hide main scroller when only the ToC is visible anyway */
@media screen and (max-width: 28em) {
body.toc-sidebar {
overflow: hidden;
}
}
/* Sidebar with its own space */
@media screen and (min-width: 78em) {
body:not(.toc-inline) #toc {
position: fixed;
top: 0; bottom: 0;
left: 0;
width: 23.5em;
overflow: auto;
padding: 0 1em;
padding-left: 42px;
padding-left: calc(1em + 26px);
color: black;
color: var(--tocsidebar-text);
background: inherit;
background-color: #f7f8f9;
background-color: var(--tocsidebar-bg);
z-index: 1;
box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
box-shadow: -.1em 0 .25em var(--tocsidebar-shadow) inset;
}
body:not(.toc-inline) #toc h2 {
margin-top: .8rem;
font-variant: small-caps;
font-variant: all-small-caps;
text-transform: lowercase;
font-weight: bold;
color: gray;
color: hsla(203,20%,40%,.7);
color: var(--tocsidebar-heading-text);
}
body:not(.toc-inline) {
padding-left: 29em;
}
/* See also Overflow section at the bottom */
body:not(.toc-inline) #toc-jump:not(:focus) {
width: 0;
height: 0;
padding: 0;
position: absolute;
overflow: hidden;
}
}
@media screen and (min-width: 90em) {
body:not(.toc-inline) {
margin: 0 4em;
}
}
/******************************************************************************/
/* Sectioning */
/******************************************************************************/
/** Headings ******************************************************************/
h1, h2, h3, h4, h5, h6, dt {
page-break-after: avoid;
page-break-inside: avoid;
font: 100% sans-serif; /* Reset all font styling to clear out UA styles */
font-family: inherit; /* Inherit the font family. */
line-height: 1.2; /* Keep wrapped headings compact */
hyphens: manual; /* Hyphenated headings look weird */
}
h2, h3, h4, h5, h6 {
margin-top: 3rem;
}
h1, h2, h3 {
color: #005A9C;
color: var(--heading-text);
}
h1 { font-size: 170%; }
h2 { font-size: 140%; }
h3 { font-size: 120%; }
h4 { font-weight: bold; }
h5 { font-style: italic; }
h6 { font-variant: small-caps; }
dt { font-weight: bold; }
/** Subheadings ***************************************************************/
h1 + h2,
#profile-and-date {
/* #profile-and-date is a subtitle in an H2 under the H1 */
margin-top: 0;
}
h2 + h3,
h3 + h4,
h4 + h5,
h5 + h6 {
margin-top: 1.2em; /* = 1 x line-height */
}
/** Section divider ***********************************************************/
:not(.head) > :not(.head) + hr {
font-size: 1.5em;
text-align: center;
margin: 1em auto;
height: auto;
color: black;
color: var(--hr-text);
border: transparent solid 0;
background: transparent;
}
:not(.head) > hr::before {
content: "\2727\2003\2003\2727\2003\2003\2727";
}
/******************************************************************************/
/* Paragraphs and Lists */
/******************************************************************************/
p {
margin: 1em 0;
}
dd > p:first-child,
li > p:first-child {
margin-top: 0;
}
ul, ol {
margin-left: 0;
padding-left: 2em;
}
li {
margin: 0.25em 0 0.5em;
padding: 0;
}
dl dd {
margin: 0 0 .5em 2em;
}
.head dd + dd { /* compact for header */
margin-top: -.5em;
}
/* Style for algorithms */
ol.algorithm ol:not(.algorithm),
.algorithm > ol ol:not(.algorithm) {
border-left: 0.5em solid #DEF;
border-left: 0.5em solid var(--algo-border);
}
/* Put nice boxes around each algorithm. */
[data-algorithm]:not(.heading) {
padding: .5em;
border: thin solid #ddd;
border: thin solid var(--algo-border);
border-radius: .5em;
margin: .5em calc(-0.5em - 1px);
}
[data-algorithm]:not(.heading) > :first-child {
margin-top: 0;
}
[data-algorithm]:not(.heading) > :last-child {
margin-bottom: 0;
}
/* Style for switch/case <dl>s */
dl.switch > dd > ol.only,
dl.switch > dd > .only > ol {
margin-left: 0;
}
dl.switch > dd > ol.algorithm,
dl.switch > dd > .algorithm > ol {
margin-left: -2em;
}
dl.switch {
padding-left: 2em;
}
dl.switch > dt {
text-indent: -1.5em;
margin-top: 1em;
}
dl.switch > dt + dt {
margin-top: 0;
}
dl.switch > dt::before {
content: '\21AA';
padding: 0 0.5em 0 0;
display: inline-block;
width: 1em;
text-align: right;
line-height: 0.5em;
}
/** Terminology Markup ********************************************************/
/******************************************************************************/
/* Inline Markup */
/******************************************************************************/
/** Terminology Markup ********************************************************/
dfn { /* Defining instance */
font-weight: bolder;
}
a > i { /* Instance of term */
font-style: normal;
}
dt dfn code, code.idl {
font-size: inherit;
}
dfn var {
font-style: normal;
}
/** Change Marking ************************************************************/
del {
color: #aa0000;
color: var(--del-text);
background: transparent;
background: var(--del-bg);
text-decoration: line-through;
}
ins {
color: #006100;
color: var(--ins-text);
background: transparent;
background: var(--ins-bg);
text-decoration: underline;
}
/* for amendments (candidate/proposed changes) */
.amendment ins, .correction ins, .addition ins,
ins[class^=c] {
text-decoration-style: dotted;
}
.amendment del, .correction del, .addition del,
del[class^=c] {
text-decoration-style: dotted;
}
.amendment.proposed ins, .correction.proposed ins, .addition.proposed ins,
ins[class^=c].proposed {
text-decoration-style: double;
}
.amendment.proposed del, .correction.proposed del, .addition.proposed del,
del[class^=c].proposed {
text-decoration-style: double;
}
/** Miscellaneous improvements to inline formatting ***************************/
sup {
vertical-align: super;
font-size: 80%
}
/******************************************************************************/
/* Code */
/******************************************************************************/
/** General monospace/pre rules ***********************************************/
pre, code, samp {
font-family: Menlo, Consolas, "DejaVu Sans Mono", Monaco, monospace;
font-size: .9em;
hyphens: none;
text-transform: none;
text-align: left;
text-align: start;
font-variant: normal;
orphans: 3;
widows: 3;
page-break-before: avoid;
}
pre code,
code code {
font-size: 100%;
}
pre {
margin-top: 1em;
margin-bottom: 1em;
overflow: auto;
}
/** Inline Code fragments *****************************************************/
/* Do something nice. */
/******************************************************************************/
/* Links */
/******************************************************************************/
/** General Hyperlinks ********************************************************/
/* We hyperlink a lot, so make it less intrusive */
a[href] {
color: #034575;
color: var(--a-normal-text);
text-decoration: underline #707070;
text-decoration: underline var(--a-normal-underline);
text-decoration-skip-ink: none;
}
a:visited {
color: #034575;
color: var(--a-visited-text);
text-decoration-color: #bbb;
text-decoration-color: var(--a-visited-underline);
}
/* Indicate interaction with the link */
a[href]:focus,
a[href]:hover {
text-decoration-thickness: 2px;
}
a[href]:active {
color: #c00;
color: var(--a-active-text);
text-decoration-color: #c00;
text-decoration-color: var(--a-active-underline);
}
/* Backout above styling for W3C logo */
.head .logo,
.head .logo a {
border: none;
text-decoration: none;
background: transparent;
}
/******************************************************************************/
/* Images */
/******************************************************************************/
img {
border-style: none;
}
img, svg {
/* Intentionally not color-scheme aware. */
background: white;
}
/* For autogen numbers, add
.caption::before, figcaption::before { content: "Figure " counter(figure) ". "; }
*/
figure, .figure, .sidefigure {
page-break-inside: avoid;
text-align: center;
margin: 2.5em 0;
}
.figure img, .sidefigure img, figure img,
.figure object, .sidefigure object, figure object {
max-width: 100%;
margin: auto;
height: auto;
}
.figure pre, .sidefigure pre, figure pre {
text-align: left;
display: table;
margin: 1em auto;
}
.figure table, figure table {
margin: auto;
}
@media screen and (min-width: 20em) {
.sidefigure {
float: right;
width: 50%;
margin: 0 0 0.5em 0.5em;
}
}
.caption, figcaption, caption {
font-style: italic;
font-size: 90%;
}
.caption::before, figcaption::before, figcaption > .marker {
font-weight: bold;
}
.caption, figcaption {
counter-increment: figure;
}
/* DL list is indented 2em, but figure inside it is not */
dd > .figure, dd > figure { margin-left: -2em; }
/******************************************************************************/
/* Colored Boxes */
/******************************************************************************/
.issue, .note, .example, .assertion, .advisement, blockquote,
.amendment, .correction, .addition {
margin: 1em auto;
padding: .5em;
border: .5em;
border-left-style: solid;
page-break-inside: avoid;
}
span.issue, span.note {
padding: .1em .5em .15em;
border-right-style: solid;
}
blockquote > :first-child,
.note > p:first-child,
.issue > p:first-child,
.amendment > p:first-child,
.correction > p:first-child,
.addition > p:first-child {
margin-top: 0;
}
blockquote > :last-child,
.note > p:last-child,
.issue > p:last-child,
.amendment > p:last-child,
.correction > p:last-child,
.addition > p:last-child {
margin-bottom: 0;
}
.issue::before, .issue > .marker,
.example::before, .example > .marker,
.note::before, .note > .marker,
details.note > summary > .marker,
.amendment::before, .amendment > .marker,
details.amendment > summary > .marker,
.addition::before, .addition > .marker,
addition.amendment > summary > .marker,
.correction::before, .correction > .marker,
correction.amendment > summary > .marker
{
text-transform: uppercase;
padding-right: 1em;
}
.example::before, .example > .marker {
display: block;
padding-right: 0em;
}
/** Blockquotes ***************************************************************/
blockquote {
border-color: silver;
border-color: var(--blockquote-border);
background: transparent;
background: var(--blockquote-bg);
color: currentcolor;
color: var(--blockquote-text);
}
/** Open issue ****************************************************************/
.issue {
border-color: #e05252;
border-color: var(--issue-border);
background: #fbe9e9;
background: var(--issue-bg);
color: black;
color: var(--issue-text);
counter-increment: issue;
overflow: auto;
}
.issue::before, .issue > .marker {
color: #831616;
color: var(--issueheading-text);
}
/* Add .issue::before { content: "Issue " counter(issue) " "; } for autogen numbers,
or use class="marker" to mark up the issue number in source. */
/** Example *******************************************************************/
.example {
border-color: #e0cb52;
border-color: var(--example-border);
background: #fcfaee;
background: var(--example-bg);
color: black;
color: var(--example-text);
counter-increment: example;
overflow: auto;
clear: both;
}
.example::before, .example > .marker {
color: #574b0f;
color: var(--exampleheading-text);
}
/* Add .example::before { content: "Example " counter(example) " "; } for autogen numbers,
or use class="marker" to mark up the example number in source. */
/** Non-normative Note ********************************************************/
.note {
border-color: #52e052;
border-color: var(--note-border);
background: #e9fbe9;
background: var(--note-bg);
color: black;
color: var(--note-text);
overflow: auto;
}
.note::before, .note > .marker,
details.note > summary {
color: hsl(120, 70%, 30%);
color: var(--noteheading-text);
}
/* Add .note::before { content: "Note "; } for autogen label,
or use class="marker" to mark up the label in source. */
details.note[open] > summary {
border-bottom: 1px silver solid;
border-bottom: 1px var(--notesummary-underline) solid;
}
/** Assertion Box *************************************************************/
/* for assertions in algorithms */
.assertion {
border-color: #AAA;
border-color: var(--assertion-border);
background: #EEE;
background: var(--assertion-bg);
color: black;
color: var(--assertion-text);
}
/** Advisement Box ************************************************************/
/* for attention-grabbing normative statements */
.advisement {
border-color: orange;
border-color: var(--advisement-border);
border-style: none solid;
background: #fec;
background: var(--advisement-bg);
color: black;
color: var(--advisement-text);
}
strong.advisement {
display: block;
text-align: center;
}
.advisement::before, .advisement > .marker {
color: #b35f00;
color: var(--advisementheading-text);
}
/** Amendment Box *************************************************************/
.amendment, .correction, .addition {
border-color: #330099;
border-color: var(--amendment-border);
background: #F5F0FF;
background: var(--amendment-bg);
color: black;
color: var(--amendment-text);
}
.amendment.proposed, .correction.proposed, .addition.proposed {
border-style: solid;
border-block-width: 0.25em;
}
.amendment::before, .amendment > .marker,
details.amendment > summary::before, details.amendment > summary > .marker,
.correction::before, .correction > .marker,
details.correction > summary::before, details.correction > summary > .marker,
.addition::before, .addition > .marker,
details.addition > summary::before, details.addition > summary > .marker {
color: #220066;
color: var(--amendmentheading-text);
}
.amendment.proposed::before, .amendment.proposed > .marker,
details.amendment.proposed > summary::before, details.amendment.proposed > summary > .marker,
.correction.proposed::before, .correction.proposed > .marker,
details.correction.proposed > summary::before, details.correction.proposed > summary > .marker,
.addition.proposed::before, .addition.proposed > .marker,
details.addition.proposed > summary::before, details.addition.proposed > summary > .marker {
font-weight: bold;
}
/** Spec Obsoletion Notice ****************************************************/
/* obnoxious obsoletion notice for older/abandoned specs. */
details {
display: block;
}
summary {
font-weight: bolder;
}
.annoying-warning:not(details),
details.annoying-warning:not([open]) > summary,
details.annoying-warning[open] {
background: hsla(40,100%,50%,0.95);
background: var(--warning-bg);
color: black;
color: var(--warning-text);
padding: .75em 1em;
border: red;
border: var(--warning-border);
border-style: solid none;
box-shadow: 0 2px 8px black;
text-align: center;
}
.annoying-warning :last-child {
margin-bottom: 0;
}
@media not print {
details.annoying-warning[open] {
position: fixed;
left: 0;
right: 0;
bottom: 2em;
z-index: 1000;
}
}
details.annoying-warning:not([open]) > summary {
text-align: center;
}
/** Entity Definition Boxes ***************************************************/
.def {
padding: .5em 1em;
background: #def;
background: var(--def-bg);
margin: 1.2em 0;
border-left: 0.5em solid #8ccbf2;
border-left: 0.5em solid var(--def-border);
color: black;
color: var(--def-text);
}
/******************************************************************************/
/* Tables */
/******************************************************************************/
th, td {
text-align: left;
text-align: start;
}
/** Property/Descriptor Definition Tables *************************************/
table.def {
/* inherits .def box styling, see above */
width: 100%;
border-spacing: 0;
}
table.def td,
table.def th {
padding: 0.5em;
vertical-align: baseline;
border-bottom: 1px solid #bbd7e9;
border-bottom: 1px solid var(--defrow-border);
}
table.def > tbody > tr:last-child th,
table.def > tbody > tr:last-child td {
border-bottom: 0;
}
table.def th {
font-style: italic;
font-weight: normal;
padding-left: 1em;
width: 3em;
}
/* For when values are extra-complex and need formatting for readability */
table td.pre {
white-space: pre-wrap;
}
/* A footnote at the bottom of a def table */
table.def td.footnote {
padding-top: 0.6em;
}
table.def td.footnote::before {
content: " ";
display: block;
height: 0.6em;
width: 4em;
border-top: thin solid;
}
/** Data tables (and properly marked-up index tables) *************************/
/*
<table class="data"> highlights structural relationships in a table
when correct markup is used (e.g. thead/tbody, th vs. td, scope attribute)
Use class="complex data" for particularly complicated tables --
(This will draw more lines: busier, but clearer.)
Use class="long" on table cells with paragraph-like contents
(This will adjust text alignment accordingly.)
Alternately use class="longlastcol" on tables, to have the last column assume "long".
*/
table {
word-wrap: normal;
overflow-wrap: normal;
hyphens: manual;
}
table.data,
table.index {
margin: 1em auto;
border-collapse: collapse;
border: hidden;
width: 100%;
}
table.data caption,
table.index caption {
max-width: 50em;
margin: 0 auto 1em;
}
table.data td, table.data th,
table.index td, table.index th {
padding: 0.5em 1em;
border-width: 1px;
border-color: silver;
border-color: var(--datacell-border);
border-top-style: solid;
}
table.data thead td:empty {
padding: 0;
border: 0;
}
table.data thead,
table.index thead,
table.data tbody,
table.index tbody {
border-bottom: 2px solid;
}
table.data colgroup,
table.index colgroup {
border-left: 2px solid;
}
table.data tbody th:first-child,
table.index tbody th:first-child {
border-right: 2px solid;
border-top: 1px solid silver;
border-top: 1px solid var(--datacell-border);
padding-right: 1em;
}
table.data th[colspan],
table.data td[colspan] {
text-align: center;
}
table.complex.data th,
table.complex.data td {
border: 1px solid silver;
border: 1px solid var(--datacell-border);
text-align: center;
}
table.data.longlastcol td:last-child,
table.data td.long {
vertical-align: baseline;
text-align: left;
}
table.data img {
vertical-align: middle;
}
/*
Alternate table alignment rules
table.data,
table.index {
text-align: center;
}
table.data thead th[scope="row"],
table.index thead th[scope="row"] {
text-align: right;
}
table.data tbody th:first-child,
table.index tbody th:first-child {
text-align: right;
}
Possible extra rowspan handling
table.data tbody th[rowspan]:not([rowspan='1']),
table.index tbody th[rowspan]:not([rowspan='1']),
table.data tbody td[rowspan]:not([rowspan='1']),
table.index tbody td[rowspan]:not([rowspan='1']) {
border-left: 1px solid silver;
}
table.data tbody th[rowspan]:first-child,
table.index tbody th[rowspan]:first-child,
table.data tbody td[rowspan]:first-child,
table.index tbody td[rowspan]:first-child{
border-left: 0;
border-right: 1px solid silver;
}
*/
/******************************************************************************/
/* Indices */
/******************************************************************************/
/** Table of Contents *********************************************************/
.toc a {
/* More spacing; use padding to make it part of the click target. */
padding: 0.1rem 1px 0;
/* Larger, more consistently-sized click target */
display: block;
/* Switch to using border-bottom for underlines */
text-decoration: none;
border-bottom: 1px solid;
/* Reverse color scheme */
color: black;
color: var(--toclink-text);
border-color: #3980b5;
border-color: var(--toclink-underline);
}
.toc a:visited {
color: black;
color: var(--toclink-visited-text);
border-color: #054572;
border-color: var(--toclink-visited-underline);
}
.toc a:focus,
.toc a:hover {
background: rgba(75%, 75%, 75%, .25);
background: var(--a-hover-bg);
border-bottom-width: 3px;
margin-bottom: -2px;
}
.toc a:not(:focus):not(:hover) {
/* Allow colors to cascade through from link styling */
border-bottom-color: transparent;
}
.toc, .toc ol, .toc ul, .toc li {
list-style: none; /* Numbers must be inlined into source */
/* because generated content isn't search/selectable and markers can't do multilevel yet */
margin: 0;
padding: 0;
}
.toc {
line-height: 1.1em;
}
/* ToC not indented until third level, but font style & margins show hierarchy */
.toc > li { font-weight: bold; }
.toc > li li { font-weight: normal; }
.toc > li li li { font-size: 95%; }
.toc > li li li li { font-size: 90%; }
.toc > li li li li li { font-size: 85%; }
/* @supports not (display:grid) { */
.toc > li { margin: 1.5rem 0; }
.toc > li li { margin: 0.3rem 0; }
.toc > li li li { margin-left: 2rem; }
/* Section numbers in a column of their own */
.toc .secno {
float: left;
width: 4rem;
white-space: nowrap;
}
.toc > li li li li .secno { font-size: 85%; }
.toc > li li li li li .secno { font-size: 100%; }
.toc li {
clear: both;
}
:not(li) > .toc { margin-left: 5rem; }
.toc .secno { margin-left: -5rem; }
.toc > li li li .secno { margin-left: -7rem; }
.toc > li li li li .secno { margin-left: -9rem; }
.toc > li li li li li .secno { margin-left: -11rem; }
/* Tighten up indentation in narrow ToCs */
@media (max-width: 30em) {
:not(li) > .toc { margin-left: 4rem; }
.toc .secno { margin-left: -4rem; }
.toc > li li li { margin-left: 1rem; }
.toc > li li li .secno { margin-left: -5rem; }
.toc > li li li li .secno { margin-left: -6rem; }
.toc > li li li li li .secno { margin-left: -7rem; }
}
/* Loosen it on wide screens */
@media screen and (min-width: 78em) {
body:not(.toc-inline) :not(li) > .toc { margin-left: 4rem; }
body:not(.toc-inline) .toc .secno { margin-left: -4rem; }
body:not(.toc-inline) .toc > li li li { margin-left: 1rem; }
body:not(.toc-inline) .toc > li li li .secno { margin-left: -5rem; }
body:not(.toc-inline) .toc > li li li li .secno { margin-left: -6rem; }
body:not(.toc-inline) .toc > li li li li li .secno { margin-left: -7rem; }
}
/* } */
@supports (display:grid) and (display:contents) {
/* Use #toc over .toc to override non-@supports rules. */
#toc {
display: grid;
align-content: start;
grid-template-columns: auto 1fr;
grid-column-gap: 1rem;
column-gap: 1rem;
grid-row-gap: .6rem;
row-gap: .6rem;
}
#toc h2 {
grid-column: 1 / -1;
margin-bottom: 0;
}
#toc ol,
#toc li,
#toc a {
display: contents;
/* Switch <a> to subgrid when supported */
}
#toc span {
margin: 0;
}
#toc > .toc > li > a > span {
/* The spans of the top-level list,
comprising the first items of each top-level section. */
margin-top: 1.1rem;
}
#toc#toc .secno { /* Ugh, need more specificity to override base.css */
grid-column: 1;
width: auto;
margin-left: 0;
}
#toc .content {
grid-column: 2;
width: auto;
margin-right: 1rem;
border-bottom: 3px solid transparent;
margin-bottom: -3px;
}
#toc .content:hover,
#toc .content:focus {
background: rgba(75%, 75%, 75%, .25);
background: var(--a-hover-bg);
border-bottom-color: #054572;
border-bottom-color: var(--toclink-underline);
}
#toc li li li .content {
margin-left: 1rem;
}
#toc li li li li .content {
margin-left: 2rem;
}
}
/** Index *********************************************************************/
/* Index Lists: Layout */
ul.index { margin-left: 0; columns: 15em; text-indent: 1em hanging; }
ul.index li { margin-left: 0; list-style: none; break-inside: avoid; }
ul.index li li { margin-left: 1em; }
ul.index dl { margin-top: 0; }
ul.index dt { margin: .2em 0 .2em 20px;}
ul.index dd { margin: .2em 0 .2em 40px;}
/* Index Lists: Typography */
ul.index ul,
ul.index dl { font-size: smaller; }
@media not print {
ul.index li a + span {
white-space: nowrap;
color: transparent; }
ul.index li a:hover + span,
ul.index li a:focus + span {
color: #707070;
color: var(--indexinfo-text);
}
}
/** Index Tables *****************************************************/
/* See also the data table styling section, which this effectively subclasses */
table.index {
font-size: small;
border-collapse: collapse;
border-spacing: 0;
text-align: left;
margin: 1em 0;
}
table.index td,
table.index th {
padding: 0.4em;
}
table.index tr:hover td:not([rowspan]),
table.index tr:hover th:not([rowspan]) {
color: black;
color: var(--indextable-hover-text);
background: #f7f8f9;
background: var(--indextable-hover-bg);
}
/* The link in the first column in the property table (formerly a TD) */
table.index th:first-child a {
font-weight: bold;
}
/** Outdated warning **********************************************************/
.outdated-spec {
color: black;
color: var(--outdatedspec-text);
background-color: rgba(0,0,0,0.5);
background-color: var(--outdatedspec-bg);
}
.outdated-warning {
position: fixed;
bottom: 50%;
left: 0;
right: 0;
margin: 0 auto;
width: 50%;
background: maroon;
background: var(--outdated-bg);
color: white;
color: var(--outdated-text);
border-radius: 1em;
box-shadow: 0 0 1em red;
box-shadow: 0 0 1em var(--outdated-shadow);
padding: 2em;
text-align: center;
z-index: 2;
}
.outdated-warning a {
color: currentcolor;
background: transparent;
}
.edited-rec-warning {
background: darkorange;
background: var(--editedrec-bg);
box-shadow: 0 0 1em;
}
.outdated-warning button {
color: var(--outdated-text);
border-radius: 1em;
box-shadow: 0 0 1em red;
box-shadow: 0 0 1em var(--outdated-shadow);
padding: 2em;
text-align: center;
z-index: 2;
}
.outdated-warning a {
color: currentcolor;
background: transparent;
}
.edited-rec-warning {
background: darkorange;
background: var(--editedrec-bg);
box-shadow: 0 0 1em;
}
.outdated-warning button {
position: absolute;
top: 0;
right:0;
margin: 0;
border: 0;
padding: 0.25em 0.5em;
background: transparent;
color: white;
color: var(--outdated-text);
font:1em sans-serif;
text-align:center;
}
.outdated-warning span {
display: block;
}
.outdated-collapsed {
bottom: 0;
border-radius: 0;
width: 100%;
padding: 0;
}
/******************************************************************************/
/* Print */
/******************************************************************************/
@media print {
/* Pages have their own margins. */
html {
margin: 0;
}
/* Serif for print. */
body {
font-family: serif;
}
.outdated-warning {
position: absolute;
border-style: solid;
border-color: red;
}
.outdated-warning input {
display: none;
}
}
@page {
margin: 1.5cm 1.1cm;
}
/******************************************************************************/
/* Overflow Control */
/******************************************************************************/
.figure .caption, .sidefigure .caption, figcaption {
/* in case figure is overlarge, limit caption to 50em */
max-width: 50rem;
margin-left: auto;
margin-right: auto;
}
.overlarge {
/* Magic to create good item positioning:
"content column" is 50ems wide at max; less on smaller screens.
Extra space (after ToC + content) is empty on the right.
1. When item < content column, centers item in column.
2. When content < item < available, left-aligns.
3. When item > available, fills available + scroll bar.
*/
display: grid;
grid-template-columns: minmax(0, 50em);
}
.overlarge > table {
/* limit preferred width of table */
max-width: 50em;
margin-left: auto;
margin-right: auto;
}
@media (min-width: 55em) {
.overlarge {
margin-right: calc(13px + 26.5rem - 50vw);
max-width: none;
}
}
@media screen and (min-width: 78em) {
body:not(.toc-inline) .overlarge {
/* 30.5em body padding 50em content area */
margin-right: calc(40em - 50vw) !important;
}
}
@media screen and (min-width: 90em) {
body:not(.toc-inline) .overlarge {
/* 4em html margin 30.5em body padding 50em content area */
margin-right: calc(84.5em - 100vw) !important;
}
}
@media not print {
.overlarge {
overflow-x: auto;
/* See Lea Verou's explanation background-attachment:
* http://lea.verou.me/2012/04/background-attachment-local/
*
background: top left / 4em 100% linear-gradient(to right, #ffffff, rgba(255, 255, 255, 0)) local,
top right / 4em 100% linear-gradient(to left, #ffffff, rgba(255, 255, 255, 0)) local,
top left / 1em 100% linear-gradient(to right, #c3c3c5, rgba(195, 195, 197, 0)) scroll,
top right / 1em 100% linear-gradient(to left, #c3c3c5, rgba(195, 195, 197, 0)) scroll,
white;
background-repeat: no-repeat;
*/
}
}
</style>
<style>
</style>
<meta content="Bikeshed version 5d4d5b9a8, updated Fri Apr 17 13:49:40 2026 -0700" name="generator">
<link href="https://www.sr2.uk/policy/password-auth/" rel="canonical">
<meta content="1ad26e6266d3cfc379f0a1c23beecbb29d167442" name="revision">
<meta content="dark light" name="color-scheme">
<style>/* Boilerplate: style-autolinks */
.css.css, .property.property, .descriptor.descriptor {
color: var(--a-normal-text);
font-size: inherit;
font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
content: "";
}
.css::after, .property::after, .descriptor::after {
content: "";
}
.property, .descriptor {
/* Don't wrap property and descriptor names */
white-space: nowrap;
}
.type { /* CSS value <type> */
font-style: italic;
}
pre .property::before, pre .property::after {
content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
content: "";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
content: "";
}
[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
content: "";
}
[data-link-type=element],
[data-link-type=element-attr] {
font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after { content: ">" }
[data-link-type=biblio] {
white-space: pre;
}
@media (prefers-color-scheme: dark) {
:root {
--selflink-text: black;
--selflink-bg: silver;
--selflink-hover-text: white;
}
}
</style>
<style>/* Boilerplate: style-colors */
/* Any --*-text not paired with a --*-bg is assumed to have a transparent bg */
:root {
color-scheme: light dark;
--text: black;
--bg: white;
--unofficial-watermark: url(https://www.w3.org/StyleSheets/TR/2016/logos/UD-watermark);
--logo-bg: #1a5e9a;
--logo-active-bg: #c00;
--logo-text: white;
--tocnav-normal-text: #707070;
--tocnav-normal-bg: var(--bg);
--tocnav-hover-text: var(--tocnav-normal-text);
--tocnav-hover-bg: #f8f8f8;
--tocnav-active-text: #c00;
--tocnav-active-bg: var(--tocnav-normal-bg);
--tocsidebar-text: var(--text);
--tocsidebar-bg: #f7f8f9;
--tocsidebar-shadow: rgba(0,0,0,.1);
--tocsidebar-heading-text: hsla(203,20%,40%,.7);
--toclink-text: var(--text);
--toclink-underline: #3980b5;
--toclink-visited-text: var(--toclink-text);
--toclink-visited-underline: #054572;
--heading-text: #005a9c;
--hr-text: var(--text);
--algo-border: #def;
--del-text: red;
--del-bg: transparent;
--ins-text: #080;
--ins-bg: transparent;
--a-normal-text: #034575;
--a-normal-underline: #bbb;
--a-visited-text: var(--a-normal-text);
--a-visited-underline: #707070;
--a-hover-bg: rgba(75%, 75%, 75%, .25);
--a-active-text: #c00;
--a-active-underline: #c00;
--blockquote-border: silver;
--blockquote-bg: transparent;
--blockquote-text: currentcolor;
--issue-border: #e05252;
--issue-bg: #fbe9e9;
--issue-text: var(--text);
--issueheading-text: #831616;
--example-border: #e0cb52;
--example-bg: #fcfaee;
--example-text: var(--text);
--exampleheading-text: #574b0f;
--note-border: #52e052;
--note-bg: #e9fbe9;
--note-text: var(--text);
--noteheading-text: hsl(120, 70%, 30%);
--notesummary-underline: silver;
--assertion-border: #aaa;
--assertion-bg: #eee;
--assertion-text: black;
--advisement-border: orange;
--advisement-bg: #fec;
--advisement-text: var(--text);
--advisementheading-text: #b35f00;
--warning-border: red;
--warning-bg: hsla(40,100%,50%,0.95);
--warning-text: var(--text);
--amendment-border: #330099;
--amendment-bg: #F5F0FF;
--amendment-text: var(--text);
--amendmentheading-text: #220066;
--def-border: #8ccbf2;
--def-bg: #def;
--def-text: var(--text);
--defrow-border: #bbd7e9;
--datacell-border: silver;
--indexinfo-text: #707070;
--indextable-hover-text: black;
--indextable-hover-bg: #f7f8f9;
--outdatedspec-bg: rgba(0, 0, 0, .5);
--outdatedspec-text: black;
--outdated-bg: maroon;
--outdated-text: white;
--outdated-shadow: red;
--editedrec-bg: darkorange;
}
@media (prefers-color-scheme: dark) {
:root {
--text: #ddd;
--bg: black;
--unofficial-watermark: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='400' height='400'%3E%3Cg fill='%23100808' transform='translate(200 200) rotate(-45) translate(-200 -200)' stroke='%23100808' stroke-width='3'%3E%3Ctext x='50%25' y='220' style='font: bold 70px sans-serif; text-anchor: middle; letter-spacing: 6px;'%3EUNOFFICIAL%3C/text%3E%3Ctext x='50%25' y='305' style='font: bold 70px sans-serif; text-anchor: middle; letter-spacing: 6px;'%3EDRAFT%3C/text%3E%3C/g%3E%3C/svg%3E");
--logo-bg: #1a5e9a;
--logo-active-bg: #c00;
--logo-text: white;
--tocnav-normal-text: #999;
--tocnav-normal-bg: var(--bg);
--tocnav-hover-text: var(--tocnav-normal-text);
--tocnav-hover-bg: #080808;
--tocnav-active-text: #f44;
--tocnav-active-bg: var(--tocnav-normal-bg);
--tocsidebar-text: var(--text);
--tocsidebar-bg: #080808;
--tocsidebar-shadow: rgba(255,255,255,.1);
--tocsidebar-heading-text: hsla(203,20%,40%,.7);
--toclink-text: var(--text);
--toclink-underline: #6af;
--toclink-visited-text: var(--toclink-text);
--toclink-visited-underline: #054572;
--heading-text: #8af;
--hr-text: var(--text);
--algo-border: #456;
--del-text: #f44;
--del-bg: transparent;
--ins-text: #4a4;
--ins-bg: transparent;
--a-normal-text: #6af;
--a-normal-underline: #555;
--a-visited-text: var(--a-normal-text);
--a-visited-underline: var(--a-normal-underline);
--a-hover-bg: rgba(25%, 25%, 25%, .2);
--a-active-text: #f44;
--a-active-underline: var(--a-active-text);
--borderedblock-bg: rgba(255, 255, 255, .05);
--blockquote-border: silver;
--blockquote-bg: var(--borderedblock-bg);
--blockquote-text: currentcolor;
--issue-border: #e05252;
--issue-bg: var(--borderedblock-bg);
--issue-text: var(--text);
--issueheading-text: hsl(0deg, 70%, 70%);
--example-border: hsl(50deg, 90%, 60%);
--example-bg: var(--borderedblock-bg);
--example-text: var(--text);
--exampleheading-text: hsl(50deg, 70%, 70%);
--note-border: hsl(120deg, 100%, 35%);
--note-bg: var(--borderedblock-bg);
--note-text: var(--text);
--noteheading-text: hsl(120, 70%, 70%);
--notesummary-underline: silver;
--assertion-border: #444;
--assertion-bg: var(--borderedblock-bg);
--assertion-text: var(--text);
--advisement-border: orange;
--advisement-bg: #222218;
--advisement-text: var(--text);
--advisementheading-text: #f84;
--warning-border: red;
--warning-bg: hsla(40,100%,20%,0.95);
--warning-text: var(--text);
--amendment-border: #330099;
--amendment-bg: #080010;
--amendment-text: var(--text);
--amendmentheading-text: #cc00ff;
--def-border: #8ccbf2;
--def-bg: #080818;
--def-text: var(--text);
--defrow-border: #136;
--datacell-border: silver;
--indexinfo-text: #aaa;
--indextable-hover-text: var(--text);
--indextable-hover-bg: #181818;
--outdatedspec-bg: rgba(255, 255, 255, .5);
--outdatedspec-text: black;
--outdated-bg: maroon;
--outdated-text: white;
--outdated-shadow: red;
--editedrec-bg: darkorange;
}
/* In case a transparent-bg image doesn't expect to be on a dark bg,
which is quite common in practice... */
img { background: white; }
}
</style>
<style>/* Boilerplate: style-counters */
body {
counter-reset: example figure issue table;
}
.issue {
counter-increment: issue;
}
.issue:not(.no-marker)::before {
content: "Issue " counter(issue);
}
.example {
counter-increment: example;
}
.example:not(.no-marker)::before {
content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
content: "Invalid Example " counter(example);
}
figcaption {
counter-increment: figure;
}
figcaption:not(.no-marker)::before {
content: "Figure " counter(figure) " ";
}
figure.table figcaption {
counter-increment: table;
}
figure.table figcaption:not(.no-marker)::before {
content: "Table " counter(table) " ";
}
</style>
<style>/* Boilerplate: style-issues */
a[href].issue-return {
float: right;
float: inline-end;
color: var(--issueheading-text);
font-weight: bold;
text-decoration: none;
}
</style>
<style>/* Boilerplate: style-md-lists */
/* This is a weird hack for me not yet following the commonmark spec
regarding paragraph and lists. */
[data-md] > :first-child {
margin-top: 0;
}
[data-md] > :last-child {
margin-bottom: 0;
}
</style>
<style>/* Boilerplate: style-selflinks */
:root {
--selflink-text: white;
--selflink-bg: gray;
--selflink-hover-text: black;
}
.heading, .issue, .note, .example, li, dt {
position: relative;
}
a.self-link {
position: absolute;
top: 0;
left: calc(-1 * (3.5rem - 26px));
width: calc(3.5rem - 26px);
height: 2em;
text-align: center;
border: none;
transition: opacity .2s;
opacity: .5;
}
a.self-link:hover {
opacity: 1;
}
.heading > a.self-link {
font-size: 83%;
}
.example > a.self-link,
.note > a.self-link,
.issue > a.self-link {
/* These blocks are overflow:auto, so positioning outside
doesn't work. */
left: auto;
right: 0;
}
li > a.self-link {
left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
top: auto;
left: auto;
opacity: 0;
width: 1.5em;
height: 1.5em;
background: var(--selflink-bg);
color: var(--selflink-text);
font-style: normal;
transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
opacity: 1;
}
dfn > a.self-link:hover {
color: var(--selflink-hover-text);
}
a.self-link::before { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before { content: "#"; }
</style>
<body class="h-entry">
<div class="head">
<p style="background-color: #000; padding: 10px; font-size: large; font-weight: bold; color: #fff; float: right;">TLP:CLEAR</p>
<img alt="SR2 Communications Limited" src="https://www.sr2.uk/images/logo.png" style="margin-bottom: 10px;" width="400">
<h1>Passwords and Authentication Policy</h1>
<h2 class="heading no-num no-ref no-toc settled" id="subtitle"><span class="content">Draft for Approval by Company Directors,
<span class="dt-updated"><span class="value-title" title="20260422">22 April 2026</span></span>
</span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>Latest published version:
<dd><a href="https://www.sr2.uk/policy/password-auth/">https://www.sr2.uk/policy/password-auth/</a>
<dt>Version:
<dd>1.0
</dl>
</div>
<div data-fill-with="warning"></div>
<p class="copyright" data-fill-with="copyright">© <a href="https://www.sr2.uk/">SR2 Communications Limited</a>.
This document is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a>.
<img alt src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" style="max-width: 1em;max-height:1em;margin-left: .2em;"><img alt src="https://mirrors.creativecommons.org/presskit/icons/by.svg" style="max-width: 1em;max-height:1em;margin-left: .2em;"></p>
<hr title="Separator for header">
</div>
<div class="p-summary" data-fill-with="abstract">
<h2 class="heading no-num no-ref no-toc settled" id="abstract"><span class="content">Abstract</span></h2>
<p>A policy defining an effective authentication management procedures when conducting company-related business.</p>
</div>
<div data-fill-with="at-risk"></div>
<nav data-fill-with="table-of-contents" id="toc">
<h2 class="no-num no-ref no-toc" id="contents">Table of Contents</h2>
<ol class="toc">
<li><a href="#objective"><span class="secno">1</span> <span class="content">Objective</span></a>
<li><a href="#scope"><span class="secno">2</span> <span class="content">Scope</span></a>
<li><a href="#definitions"><span class="secno">3</span> <span class="content">Definitions</span></a>
<li>
<a href="#policy"><span class="secno">4</span> <span class="content">Policy</span></a>
<ol class="toc">
<li><a href="#passwords"><span class="secno">4.1</span> <span class="content">Password Authentication</span></a>
<li><a href="#mfa"><span class="secno">4.2</span> <span class="content">Multi-Factor Authentication</span></a>
<li><a href="#cloud"><span class="secno">4.3</span> <span class="content">Credentials for Cloud-Based Systems and Online Portals</span></a>
<li><a href="#compromise"><span class="secno">4.4</span> <span class="content">Credential Compromise Policy</span></a>
</ol>
<li><a href="#conformance"><span class="secno"></span> <span class="content">
Conformance</span></a>
<li>
<a href="#references"><span class="secno"></span> <span class="content">References</span></a>
<ol class="toc">
<li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
</ol>
</ol>
</nav>
<main>
<h2 class="heading settled" data-level="1" id="objective"><span class="secno">1. </span><span class="content">Objective</span><a class="self-link" href="#objective"></a></h2>
<p>This policy defines an effective authentication management procedures when conducting company-related business and
includes the:</p>
<ul>
<li data-md>
<p>issuing and selection of strong authentication methods and credentials;</p>
<li data-md>
<p>protection of secret authentication credentials;</p>
<li data-md>
<p>frequency of change in terms of authentication credentials;</p>
<li data-md>
<p>reporting of any suspected breach or lost authentication credentials;</p>
<li data-md>
<p>use of authentication methods with third party systems (including cloud technology).</p>
</ul>
<p>Authentication is a key method of securing our information choosing weak authentication methods, or failing to keep
the authentication credentials secure, places the confidentiality of our data at risk.</p>
<h2 class="heading settled" data-level="2" id="scope"><span class="secno">2. </span><span class="content">Scope</span><a class="self-link" href="#scope"></a></h2>
<p>The scope of the policy covers all individuals either employed or contracted to work with or for the company, either
in-office or remotely.</p>
<h2 class="heading settled" data-level="3" id="definitions"><span class="secno">3. </span><span class="content">Definitions</span><a class="self-link" href="#definitions"></a></h2>
<dl>
<dt data-md>Authentication method
<dd data-md>
<p>Any method by which a user may authenticate themselves in order to gain access to a location, data or service, such
as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.</p>
<dt data-md>Authentication credentials
<dd data-md>
<p>The specific data or information used by a user to authenticate themselves, including but not limited to passwords,
passphrases, PINs, and biometric data.</p>
<dt data-md>Multi-Factor Authentication (MFA)
<dd data-md>
<p>An authentication method that requires the user to provide two or more verification factors to gain access, such as
something they know (e.g., password), something they have (e.g., a security token or mobile device), and/or
something they are (e.g., biometric data).</p>
<dt data-md>Cloud-based system
<dd data-md>
<p>A service or platform hosted over the internet that allows users to access data, applications and services remotely.</p>
<dt data-md>Password manager
<dd data-md>
<p>A software product used for the secure storage of passwords, which must be approved for use, and includes functions
for generating strong passwords compliant with this policy.</p>
</dl>
<h2 class="heading settled" data-level="4" id="policy"><span class="secno">4. </span><span class="content">Policy</span><a class="self-link" href="#policy"></a></h2>
<p>Authentication method covers any methods by which a user may authenticate themselves in order to gain access to a
location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
The company ensures that authentication credentials are kept confidential by:</p>
<ul>
<li data-md>
<p>storing authentication credentials in a secure manner;</p>
<li data-md>
<p>changing manufacturer default authentication credentials and disabling guest accounts on all equipment;</p>
<li data-md>
<p>issuing new users with temporary authentication credentials, which must be changed at first login to a stronger
alternative (defined later);</p>
<li data-md>
<p>authentication credentials issued to new users are done so in a secure manner (e.g. never in clear text via an email);</p>
<li data-md>
<p>changing all multi-user credentials (e.g. for communal equipment) used by an employee in the event that their
employment ends;</p>
<li data-md>
<p>ensuring that access to user credentials is limited to ICT administrators for the purpose of resetting, revoking or
problem resolution authentication methods may only be reset once the identity of the user has been verified;</p>
<li data-md>
<p>locking accounts after 5 failed login attempts in order to dissuade brute-forcing attempts;</p>
<li data-md>
<p>training staff in the use of digital password managers, and the risks of storing passwords in any other form (such as
a notebook at their workstation, or Post-It note).</p>
</ul>
<p>Users must ensure that they do all they can to maintain the confidentiality of their authentication credentials by
never:</p>
<ul>
<li data-md>
<p>using company authentication credentials for any other account they hold (including personal accounts such as home
utilities, email, online shopping services, etc);</p>
<li data-md>
<p>having a physical copy of their credentials;</p>
<li data-md>
<p>using a non-approved method for password generation;</p>
<li data-md>
<p>entering authentication credentials on non-company equipment (for example, home or public access PCs);</p>
<li data-md>
<p>revealing authentication credentials to anyone, including line managers, unless relaying information on temporary
credentials which are changed immediately upon next login. This includes never
sharing authentication credentials with co-workers (e.g. whilst on annual leave);</p>
<li data-md>
<p>discussing authentication credentials in front of others.</p>
</ul>
<h3 class="heading settled" data-level="4.1" id="passwords"><span class="secno">4.1. </span><span class="content">Password Authentication</span><a class="self-link" href="#passwords"></a></h3>
<p>Many services and policies only allow for password authentication methods, and so they are given a special focus here.
Strong passwords MUST be used for authentication. The company defines a strong password as one generated by one of two
processes: random string generation by a password manager or using diceware <a data-link-type="biblio" href="#biblio-eff-dice" title="EFF Dice-Generated Passphrases">[EFF-DICE]</a>.</p>
<p>Where a password is to be stored in a password manager, it MUST be randomly generated by the password manager with the
parameters:</p>
<ul>
<li data-md>
<p>having a minimum number of 14 characters in length;</p>
<li data-md>
<p>using longer passwords where permitted by the service;</p>
<li data-md>
<p>including a mixture of numbers, upper and lower case letters, and special characters.</p>
</ul>
<p>Where special characters are not possible due to technical restrictions, the minimum length is 20 characters.</p>
<p>For the avoidance of doubt, weak passwords must never be used. Weak, text-based authentication credentials generally
have one or more of the following characteristics:</p>
<ul>
<li data-md>
<p>credential is the same, or partly the same, as the username;</p>
<li data-md>
<p>names of family members, friends, or pets are used;</p>
<li data-md>
<p>personal information about yourself or family members which can be easily found from social networking sites,
including date of birth, phone number, street name, etc.;</p>
<li data-md>
<p>consecutive alphanumeric characters or keys on the keyboard, such as abc123 or qwerty;</p>
<li data-md>
<p>dictionary words including the inclusion of a number or character at the start or end or substituting numbers or
punctuation for letters, for example, P@55w0rd;</p>
<li data-md>
<p>a known word from any language (which may not be in a dictionary).</p>
</ul>
<p>For passwords that are intended to be memorised, the MUST be generated using diceware. The above restrictions likely
will not be met using this method as the intention is to provide a strong password that is easy to remember, and the
strength comes from the underlying dice rolls. Any other method of generating a passphrase MUST NOT be used even if it
results in one that bears similarity to a diceware-generated passphrase.</p>
<p>Memorised passphrases generated with diceware SHOULD be used for:</p>
<ul>
<li data-md>
<p>end-user device login passphrase;</p>
<li data-md>
<p>password manager decryption passphrase.</p>
</ul>
<h3 class="heading settled" data-level="4.2" id="mfa"><span class="secno">4.2. </span><span class="content">Multi-Factor Authentication</span><a class="self-link" href="#mfa"></a></h3>
<p>Wherever the option is offered by a given service or piece of software, multi-factor authentication is to be used (e.g.
a fingerprint and a passphrase, or a voice sample, PIN and verification SMS).</p>
<p>Where a hardware token is in use to authenticate to a system without a password, the token itself MUST be secured with
a memorised PIN of at least 6 digits.</p>
<h3 class="heading settled" data-level="4.3" id="cloud"><span class="secno">4.3. </span><span class="content">Credentials for Cloud-Based Systems and Online Portals</span><a class="self-link" href="#cloud"></a></h3>
<p>It is to be remembered that the company makes use of cloud-based technology and online portals, which may not enforce
strong authentication credentials. It is therefore up to the individual to ensure a good authentication regime is
maintained, which is as strong as that used within the organisation. In line with the companys "Internet Use
Policy", users shall:</p>
<ul>
<li data-md>
<p>not create an online account for business purposes without authorisation from a director;</p>
<li data-md>
<p>advise a director when there is no longer a need to have the online account in order to ensure that it is
removed.</p>
</ul>
<h3 class="heading settled" data-level="4.4" id="compromise"><span class="secno">4.4. </span><span class="content">Credential Compromise Policy</span><a class="self-link" href="#compromise"></a></h3>
<p>In the event of a credential compromise, users SHALL take immediate action to secure the account by resetting or
invalidating the credentials and report the incident to a director as soon as practical.
It is policy that any password compromise event will be shared with CiviCERT members via the MISP platform to allow for
shared learning from the incident.
Directors will be responsible for determining if a data breach notification is necessary to our clients or to the
Information Commissioners Office.</p>
</main>
<div data-fill-with="conformance">
<h2 class="heading no-num no-ref settled" id="conformance"><span class="content">
Conformance</span><a class="self-link" href="#conformance"></a></h2>
<p>
Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL”
in the normative parts of this document
are to be interpreted as described in RFC 2119.
However, for readability,
these words do not appear in all uppercase letters in this specification.
</p>
<p>
All of the text of this specification is normative
except sections explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119" title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</a>
</p>
<p>
Examples in this specification are introduced with the words “for example”
or are set apart from the normative text with <code>class="example"</code>, like this:
</p>
<div class="example" id="example-example"><a class="self-link" href="#example-example"></a>
This is an example of an informative example.
</div>
<p>
Informative notes begin with the word “Note”
and are set apart from the normative text with <code>class="note"</code>, like this:
</p>
<p class="note" role="note">
Note, this is an informative note.</p>
</div>
<script>
(function() {
"use strict";
var collapseSidebarText = '<span aria-hidden="true">←</span> '
+ '<span>Collapse Sidebar</span>';
var expandSidebarText = '<span aria-hidden="true">→</span> '
+ '<span>Pop Out Sidebar</span>';
var tocJumpText = '<span aria-hidden="true">↑</span> '
+ '<span>Jump to Table of Contents</span>';
var sidebarMedia = window.matchMedia('screen and (min-width: 78em)');
var autoToggle = function(e){ toggleSidebar(e.matches) };
if(sidebarMedia.addListener) {
sidebarMedia.addListener(autoToggle);
}
function toggleSidebar(on) {
if (on == undefined) {
on = !document.body.classList.contains('toc-sidebar');
}
/* Don't scroll to compensate for the ToC if we're above it already. */
var headY = 0;
var head = document.querySelector('.head');
if (head) {
// terrible approx of "top of ToC"
headY += head.offsetTop + head.offsetHeight;
}
var skipScroll = window.scrollY < headY;
var toggle = document.getElementById('toc-toggle');
var tocNav = document.getElementById('toc');
if (on) {
var tocHeight = tocNav.offsetHeight;
document.body.classList.add('toc-sidebar');
document.body.classList.remove('toc-inline');
toggle.innerHTML = collapseSidebarText;
if (!skipScroll) {
window.scrollBy(0, 0 - tocHeight);
}
tocNav.focus();
sidebarMedia.addListener(autoToggle); // auto-collapse when out of room
}
else {
document.body.classList.add('toc-inline');
document.body.classList.remove('toc-sidebar');
toggle.innerHTML = expandSidebarText;
if (!skipScroll) {
window.scrollBy(0, tocNav.offsetHeight);
}
if (toggle.matches(':hover')) {
/* Unfocus button when not using keyboard navigation,
because I don't know where else to send the focus. */
toggle.blur();
}
}
}
function createSidebarToggle() {
/* Create the sidebar toggle in JS; it shouldn't exist when JS is off. */
var toggle = document.createElement('a');
/* This should probably be a button, but appearance isn't standards-track.*/
toggle.id = 'toc-toggle';
toggle.class = 'toc-toggle';
toggle.href = '#toc';
toggle.innerHTML = collapseSidebarText;
sidebarMedia.addListener(autoToggle);
var toggler = function(e) {
e.preventDefault();
sidebarMedia.removeListener(autoToggle); // persist explicit off states
toggleSidebar();
return false;
}
toggle.addEventListener('click', toggler, false);
/* Get <nav id=toc-nav>, or make it if we don't have one. */
var tocNav = document.getElementById('toc-nav');
if (!tocNav) {
tocNav = document.createElement('p');
tocNav.id = 'toc-nav';
/* Prepend for better keyboard navigation */
document.body.insertBefore(tocNav, document.body.firstChild);
}
/* While we're at it, make sure we have a Jump to Toc link. */
var tocJump = document.getElementById('toc-jump');
if (!tocJump) {
tocJump = document.createElement('a');
tocJump.id = 'toc-jump';
tocJump.href = '#toc';
tocJump.innerHTML = tocJumpText;
tocNav.appendChild(tocJump);
}
tocNav.appendChild(toggle);
}
var toc = document.getElementById('toc');
if (toc) {
createSidebarToggle();
toggleSidebar(sidebarMedia.matches);
/* If the sidebar has been manually opened and is currently overlaying the text
(window too small for the MQ to add the margin to body),
then auto-close the sidebar once you click on something in there. */
toc.addEventListener('click', function(e) {
if(e.target.tagName.toLowerCase() == "a" && document.body.classList.contains('toc-sidebar') && !sidebarMedia.matches) {
toggleSidebar(false);
}
}, false);
}
else {
console.warn("Can't find Table of Contents. Please use <nav id='toc'> around the ToC.");
}
/* Wrap tables in case they overflow */
var tables = document.querySelectorAll(':not(.overlarge) > table.data, :not(.overlarge) > table.index');
var numTables = tables.length;
for (var i = 0; i < numTables; i++) {
var table = tables[i];
var wrapper = document.createElement('div');
wrapper.className = 'overlarge';
table.parentNode.insertBefore(wrapper, table);
wrapper.appendChild(table);
}
})();
</script>
<h2 class="heading no-num no-ref settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
<h3 class="heading no-num no-ref settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
<dl>
<dt id="biblio-eff-dice">[EFF-DICE]
<dd><a href="https://www.eff.org/dice"><cite>EFF Dice-Generated Passphrases</cite></a>. URL: <a href="https://www.eff.org/dice">https://www.eff.org/dice</a>
<dt id="biblio-rfc2119">[RFC2119]
<dd>S. Bradner. <a href="https://datatracker.ietf.org/doc/html/rfc2119"><cite>Key words for use in RFCs to Indicate Requirement Levels</cite></a>. March 1997. Best Current Practice. URL: <a href="https://datatracker.ietf.org/doc/html/rfc2119">https://datatracker.ietf.org/doc/html/rfc2119</a>
</dl>
Reference in a new issue View git blame Copy permalink