Password Construction Guidelines

1.0 Purpose

Passwords are a ~~critical~~fundamental component of information ~~security.~~security, ~~Passwords~~acting ~~serve~~as the first line of defense for user accounts, systems, and data. Weak or easily guessable passwords significantly increase the risk of unauthorized access and compromise. The purpose of these guidelines is to ~~protect~~provide ~~user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This guideline provides~~clear best practices for creating and managing strong, secure ~~passwords.~~passwords and passphrases to protect individual users and organizational assets.

~~The~~2.0 ~~purpose~~Scope

~~of this~~

These guidelines isapply to ~~provide best practices for the created of strong passwords.~~

~~This guideline applies to~~all employees, contractors, consultants, temporary staff, vendors, agents, and other workers, including ~~all~~ personnel affiliated with third ~~parties.~~parties, ~~This~~who ~~guideline~~are ~~applies~~granted access to organizational systems or data. They apply to all passwords used for authentication, including but not limited to user-level accounts, system-level ~~accounts,~~accounts (where applicable), web application accounts, ~~e-mail~~email accounts, screen saver ~~protection,~~locks, ~~voicemail,~~voicemail access, network device logins, and ~~local~~any ~~router~~other ~~logins.~~system requiring password authentication within the organizational context.

3.0 Guideline Statements: Creating Strong Passwords and Passphrases

To enhance security, all passwords ~~are~~created ~~long,~~and used for organizational accounts should adhere to the ~~more~~following ~~characters~~principles:

~~you~~

3.1 ~~have~~Length:

~~the~~

* ~~stronger~~**Minimum ~~the~~Length:** ~~password.~~Passwords Weshould ~~recommend~~be significantly long to resist brute-force attacks. A minimum length of **14 characters** is strongly recommended for all new passwords. Longer is generally better.
* **Passphrases Encouraged:** Using **passphrases** (multiple words forming a ~~minimum~~memorable ofphrase) ~~14 characters in your password.~~ ~~In addition, we~~is highly ~~encourage~~encouraged. ~~the~~Examples: ~~use~~`"ItsTime4MyVaca!"`, of`"Block-Curious-Sunny-L3aves"`. ~~passphrases, passwords made up of multiple words.~~ ~~Examples include “It’s time for vacation” or “block-curious-sunny-leaves”.~~ Passphrases ~~are~~can ~~both~~be ~~easy~~easier to remember and ~~type,~~type ~~yet~~while ~~meet~~meeting length and complexity requirements.

3.2 Complexity and Content:

* Passwords should ideally incorporate a mix of character types (uppercase letters, lowercase letters, numbers, symbols). However, length is the ~~strength~~most ~~requirements.~~critical factor. ~~Poor,~~A long passphrase without complex substitutions is often stronger than a short, complex password.
* **Avoid Weak Content:** Passwords **must not** contain easily guessable information or ~~weak,~~predictable ~~passwords~~patterns. ~~have~~Avoid:
* Personal information (names of family, pets, friends; birthdates; addresses; phone numbers; usernames; real words directly related to you or the ~~following~~organization).
~~characteristics:~~

Common

keyboard

~~Contain~~patterns ~~eight~~(e.g., `qwerty`, `asdfgh`, `12345678`).
* Repeating characters or ~~less.~~simple sequences (e.g., `aaaaaa`, `111111`, `abcde`).
* Commonly used default or weak passwords (e.g., `Password123`, `Welcome1`, `Changeme`).
* Dictionary words spelled forwards or backward.

~~Contain~~3.3 Uniqueness:

* **Unique Passwords:** Each account (work-related or personal ~~information~~accounts ~~such~~accessed ~~as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.~~

~~Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.~~

~~Are some version of “Welcome123” “Password123” “Changeme123”~~

~~In addition, every~~via work ~~account~~devices/networks) should have a ~~different,~~ **unique ~~password.~~password**. ToReusing ~~enable~~passwords ~~users~~across todifferent ~~maintain~~services ~~multiple~~dramatically ~~passwords,~~increases werisk; ~~highly~~if ~~encourage~~one account is compromised, others using the same password become vulnerable.

4.0 Tools and Best Practices for Password Management

4.1 Password Managers:

* Creating and remembering unique, strong passwords for every account is challenging. The use of ‘organization-approved **password ~~manager’~~manager ~~software that~~software** is ~~authorized~~highly encouraged. These tools securely store complex passwords and ~~provided~~can byhelp generate strong, random ones, requiring you only to remember one strong master password for the ~~organization.~~manager itself. ~~Whenever possible, also enable the~~Only use ofpassword ~~multi-factor~~managers ~~authentication.~~

~~Compliance Measurement~~

~~The Precision Computer team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal~~vetted and ~~external audits, and feedback to the policy owner.~~

~~Any exception to the policy must be~~ approved by the designated IT authority (e.g., Precision Computer).

4.2 Multi-Factor Authentication (MFA):

* Passwords alone are often insufficient. Wherever possible, **Multi-Factor Authentication (MFA)** must be enabled on accounts. MFA adds a crucial layer of security by requiring a second form of verification (e.g., a code from a mobile app, a text message, a hardware token) in addition to the password.

5.0 Compliance

5.1 Compliance Measurement:

While specific password content is not typically audited directly for privacy reasons, compliance with password *policies* (enforced by system settings like minimum length and complexity) and these *guidelines* (through training and awareness) will be assessed. The designated IT authority (e.g., Precision Computer ~~team~~team) inmay ~~advance.~~verify compliance through system configuration checks, security audits, monitoring for weak password usage where detectable, and user awareness programs.

An5.2 ~~employee~~Exceptions:

~~found~~

System-level constraints may occasionally prevent adherence to ~~have~~the ~~violated~~ideal ~~this~~length ~~policy~~recommendation. Any exceptions to enforced password policies require justification and approval from the designated IT authority (e.g., Precision Computer team).

5.3 Responsibility:

Users are responsible for creating passwords consistent with these guidelines and for protecting their passwords from disclosure. Violations of enforced password policies may ~~be subject~~lead to account lockout or disciplinary ~~action,~~action.

6.0 Definitions

* **Password:** A secret string of characters used to ~~and~~authenticate ~~including~~a ~~termination~~user to a system or service.
* **Passphrase:** A sequence of ~~employment.~~words or other text used as a password, typically longer and potentially easier to remember than complex character strings.
* **Password Manager:** Software designed to securely store and manage user passwords for various accounts.
* **Multi-Factor Authentication (MFA):** A security process requiring users to provide two or more different authentication factors to verify their identity (e.g., something they know [password], something they have [token/phone], something they are [biometric]).

* Password Policy (which defines mandatory requirements like minimum length, history, expiration)
* Acceptable Use Policy
* Information Security Policy (Overall)
* Remote Access Policy