1.0 OVERVIEW
Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This password construction guidelines (“Guidelines”) aim to provide an overview of the best practices for creating secure passwords.
2.0 PURPOSE
The purpose of these Guidelines is to provide best practices for the creation of strong passwords.
3.0 SCOPE
These Guidelines are applicable to employees, users of bigR platform and authorized third parties. These Guidelines applicable to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.
4.0 STATEMENT OF GUIDELINES
A. Strong passwords are long, the more characters you have, the stronger the password. DTech recommends a minimum of 8 characters in your password. In addition, DTech highly encourages the use of passphrases, passwords made up of multiple words.
B. Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type, yet meet the strength requirements. A poor or weak password has the following characteristics:
i. Contains less than eight characters;
ii. Contains personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters;
iii. Contains number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
iv. Contains guessable password combinations such as “Welcome123”, “Password123”, or “ABC123”
C. Password Change
i. A password should be changed only when there is reason to believe such password has been compromised.
ii. Password cracking or guessing may be performed on a periodic or random basis by DTech. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with these Guidelines.
D. Password Protection
i. Passwords must not be shared with anyone. All passwords are to be treated as sensitive and confidential.
ii. Passwords must not be inserted into email messages, or other forms of electronic communication, nor revealed to anyone.
iii. Passwords may be stored only in “password managers” authorized by DTech.
iv. Do not use the "Remember Password" feature of applications (for example, web browsers).
v. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
E. bigR Platform Development
DTech will ensure that its Platform and/or servers contain the following security precautions:
i. Platform and/or servers shall support authentication of individual users, not groups.
ii. Platform and/or servers shall not store passwords in clear text or in any easily reversible form.
iii. Platform and/or servers shall not transmit passwords in clear text over the network.
iv. Platform and/or servers must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
F. Multi-Factor Authentication
Multi-factor authentication is highly encouraged and should be used whenever possible.
As at September 1, 2019.