Password Policy
Purpose and Scope
Section titled “Purpose and Scope”This Password Policy establishes guidelines and requirements for password creation, management, and use at Code Town. It aims to enhance the security of our information systems and data by promoting strong password practices.
This policy applies to all employees, contractors, and third parties who have access to Code Town’s systems and data.
Policy Statements: Our Commitments
Section titled “Policy Statements: Our Commitments”The following policy statements outline how Code Town manages password security to protect its assets and information.
Password Creation and Authentication
Section titled “Password Creation and Authentication”Where possible, employees should avoid creating a username and password pair, and instead utilize Single Sign-On (SSO) via Google Workspace to log into services. Default passwords must be changed upon first use. Employees must create strong passwords that meet the following criteria:
- Randomly generated
- Minimum length of 12 characters
- Include a mix of uppercase and lowercase letters, numbers, and special characters
- At least one non-alphanumeric character
- Avoid common words, phrases, or personal information
- Passwords must not contain any personal data that could identify the user
- Passwords must be unique and not used for any other account, personal or professional
Code Town enforces password complexity requirements through technical controls and passwords are checked against a list of commonly used or compromised passwords.
Account Lockout
Section titled “Account Lockout”User accounts will be locked after 5 consecutive failed login attempts.
All failed login attempts and account lockouts are logged and monitored for potential security incidents.
Multi-Factor Authentication (MFA)
Section titled “Multi-Factor Authentication (MFA)”MFA is required for:
- All access to Code Town’s cloud systems
- Access to sensitive systems or data
- Access to our password manager, 1Password
Password Storage and Transmission
Section titled “Password Storage and Transmission”All passwords must be stored in an encrypted format using industry-standard encryption algorithms.
Encryption keys are managed securely, with access restricted to authorized personnel only. Key rotation is performed regularly.
Shared Accounts and Service Accounts
Section titled “Shared Accounts and Service Accounts”The use of shared accounts is prohibited. Service account passwords must be changed whenever a team member with knowledge of the password leaves the organization.
Service account usage is logged and monitored. Regular audits are performed to review the necessity and access levels of service accounts.
Password Managers
Section titled “Password Managers”Code Town provides and encourages the use of a company-approved password manager, specifically 1Password. Employees should use the password manager to generate and store complex, unique passwords for each account.
Compliance and Enforcement
Section titled “Compliance and Enforcement”Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.
In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.
Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.
Policy Review and Maintenance
Section titled “Policy Review and Maintenance”This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.
Reviews must consider changes in the regulatory landscape.