sr2/www.sr2.uk
5
0
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
www.sr2.uk/policies/password_auth.bs
irl f66adc0b65
All checks were successful
ci / build_and_publish (push) Successful in 23s
Details
feat: adds some draft policies
2026-04-22 11:54:58 +01:00

147 lines
8.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<h1>Passwords and Authentication Policy</h1>
<pre class="metadata">
Status: DREAM
Local Boilerplate: header yes, copyright yes, defaults yes
Boilerplate: status no
TR: https://www.sr2.uk/policies/password-auth/
Shortname: password-auth
Complain About: accidental-2119 yes
No Editor: true
!Version: 1.0
Abstract: A policy defining an effective authentication management procedures when conducting company-related business.
</pre>
# Objective # {#objective}
This policy defines an effective authentication management procedures when conducting company-related business and
includes the:
* issuing and selection of strong authentication methods and credentials;
* protection of secret authentication credentials;
* frequency of change in terms of authentication credentials;
* reporting of any suspected breach or lost authentication credentials;
* use of authentication methods with third party systems (including cloud technology).
Authentication is a key method of securing our information choosing weak authentication methods, or failing to keep
the authentication credentials secure, places the confidentiality of our data at risk.
# Scope # {#scope}
The scope of the policy covers all individuals either employed or contracted to work with or for the company, either
in-office or remotely.
# Definitions # {#definitions}
: Authentication method
:: Any method by which a user may authenticate themselves in order to gain access to a location, data or service, such
as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
: Authentication credentials
:: The specific data or information used by a user to authenticate themselves, including but not limited to passwords,
passphrases, PINs, and biometric data.
: Multi-Factor Authentication (MFA)
:: An authentication method that requires the user to provide two or more verification factors to gain access, such as
something they know (e.g., password), something they have (e.g., a security token or mobile device), and/or
something they are (e.g., biometric data).
: Cloud-based system
:: A service or platform hosted over the internet that allows users to access data, applications and services remotely.
: Password manager
:: A software product used for the secure storage of passwords, which must be approved for use, and includes functions
for generating strong passwords compliant with this policy.
# Policy # {#policy}
Authentication method covers any methods by which a user may authenticate themselves in order to gain access to a
location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
The company ensures that authentication credentials are kept confidential by:
- storing authentication credentials in a secure manner;
- changing manufacturer default authentication credentials and disabling guest accounts on all equipment;
- issuing new users with temporary authentication credentials, which must be changed at first login to a stronger
alternative (defined later);
- authentication credentials issued to new users are done so in a secure manner (e.g. never in clear text via an email);
- changing all multi-user credentials (e.g. for communal equipment) used by an employee in the event that their
employment ends;
- ensuring that access to user credentials is limited to ICT administrators for the purpose of resetting, revoking or
problem resolution authentication methods may only be reset once the identity of the user has been verified;
- locking accounts after 5 failed login attempts in order to dissuade brute-forcing attempts;
- training staff in the use of digital password managers, and the risks of storing passwords in any other form (such as
a notebook at their workstation, or Post-It note).
Users must ensure that they do all they can to maintain the confidentiality of their authentication credentials by
never:
- using company authentication credentials for any other account they hold (including personal accounts such as home
utilities, email, online shopping services, etc);
- having a physical copy of their credentials;
- using a non-approved method for password generation;
- entering authentication credentials on non-company equipment (for example, home or public access PCs);
- revealing authentication credentials to anyone, including line managers, unless relaying information on temporary
credentials which are changed immediately upon next login. This includes never
sharing authentication credentials with co-workers (e.g. whilst on annual leave);
- discussing authentication credentials in front of others.
## Password Authentication ## {#passwords}
Many services and policies only allow for password authentication methods, and so they are given a special focus here.
Strong passwords MUST be used for authentication. The company defines a strong password as one generated by one of two
processes: random string generation by a password manager or using diceware [[!EFF-DICE]].
Where a password is to be stored in a password manager, it MUST be randomly generated by the password manager with the
parameters:
- having a minimum number of 14 characters in length;
- using longer passwords where permitted by the service;
- including a mixture of numbers, upper and lower case letters, and special characters.
Where special characters are not possible due to technical restrictions, the minimum length is 20 characters.
For the avoidance of doubt, weak passwords must never be used. Weak, text-based authentication credentials generally
have one or more of the following characteristics:
- credential is the same, or partly the same, as the username;
- names of family members, friends, or pets are used;
- personal information about yourself or family members which can be easily found from social networking sites,
including date of birth, phone number, street name, etc.;
- consecutive alphanumeric characters or keys on the keyboard, such as abc123 or qwerty;
- dictionary words including the inclusion of a number or character at the start or end or substituting numbers or
punctuation for letters, for example, P@55w0rd;
- a known word from any language (which may not be in a dictionary).
For passwords that are intended to be memorised, the MUST be generated using diceware. The above restrictions likely
will not be met using this method as the intention is to provide a strong password that is easy to remember, and the
strength comes from the underlying dice rolls. Any other method of generating a passphrase MUST NOT be used even if it
results in one that bears similarity to a diceware-generated passphrase.
Memorised passphrases generated with diceware SHOULD be used for:
- end-user device login passphrase;
- password manager decryption passphrase.
## Multi-Factor Authentication ## {#mfa}
Wherever the option is offered by a given service or piece of software, multi-factor authentication is to be used (e.g.
a fingerprint and a passphrase, or a voice sample, PIN and verification SMS).
Where a hardware token is in use to authenticate to a system without a password, the token itself MUST be secured with
a memorised PIN of at least 6 digits.
## Credentials for Cloud-Based Systems and Online Portals ## {#cloud}
It is to be remembered that the company makes use of cloud-based technology and online portals, which may not enforce
strong authentication credentials. It is therefore up to the individual to ensure a good authentication regime is
maintained, which is as strong as that used within the organisation. In line with the companys "Internet Use
Policy", users shall:
- not create an online account for business purposes without authorisation from a director;
- advise a director when there is no longer a need to have the online account in order to ensure that it is
removed.
## Credential Compromise Policy ## {#compromise}
In the event of a credential compromise, users SHALL take immediate action to secure the account by resetting or
invalidating the credentials and report the incident to a director as soon as practical.
It is policy that any password compromise event will be shared with CiviCERT members via the MISP platform to allow for
shared learning from the incident.
Directors will be responsible for determining if a data breach notification is necessary to our clients or to the
Information Commissioners Office.
Reference in a new issue View git blame Copy permalink