Passwords serve as the first line of defense to critical systems, applications and data. A poorly chosen password may result in unauthorized access and/or exploitation of [ORGANIZATION]’s resources. All users, including contractors and vendors with access to [ORGANIZATION] systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

The recently published NIST Special Publication 800-63B report defines the standard for authentication and identity life cycle management. Section 5.1.1 of this report covers the guidelines related to password security and outlines standards to ensure optimal security. [ORGANIZATION] has adopted these guidelines into this Password Policy.


  • 3.0 POLICY

The purpose of this policy is to establish a standard for creation of strong passwords, and the protection of those passwords.

1.0 Applicability

1.1. This policy applies to all employees and affiliates including contractors, consultants, vendors, etc. at [ORGANIZATION] who are granted access to equipment, software, networks, etc. that is owned, leased, and/or operated/maintained by the [ORGANIZATION]. These individuals will be known and referred to as “User(s).”

1.2. Access and/or use of Information Technology Resources protected by user accounts constitutes the user’s acknowledgement and consent to this policy as well as his/her consent to the [ORGANIZATION]’s recording and monitoring of his/her use (whether for personal or business purposes) of Information Technology Resources.

2.0 Definitions

2.1. ACCOUNT – reference assigned to an individual to enable a Computer System or Service to identify that individual.

2.2. INFORMATION TECHNOLOGY RESOURCES – Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, PDA’s, network accounts, e-mail accounts, web browsing, blogging, Web 2.0, social networking, and FTP provided by the [ORGANIZATION] to authorized users to facilitate the completion of their jobs.

2.3. PASSWORD – A string of characters which serve as authentication of an individual’s identity, which may be used to grant, or deny, access to private or shared data.

2.4. USER ACCOUNT – The user account made up of the User ID and password.

2.5. USER ID – Also referred to as a username. A User ID identifies the user on the system and has an associated password.

2.6. USER(S) – Individual(s) whether full or part-time, active or inactive, including interns, contractors, consultants, vendors, etc. who have been given access to and granted permission(s) to use Information Technology Resources.

3.0 Policy

3.1. Password Criteria

3.1.1. Passwords must be a minimum of twelve (12) and a maximum of sixty four (64) characters. (The exact limitations will depend on the requirements of systems in use by each organization.)

3.1.2. It is strongly recommended that passwords be phrases that are easy to remember for the individual User, yet difficult to guess. For example, ilovetogohikingintheWoods (do not use this as your password! This is an example). Note this example is not a dictionary word, is personal, and is easy to remember. An easy to remember password means it will be less likely the user will write it down.

3.1.3. Passwords must not incorporate commonly used words, dictionary words, and breached passwords, such as password1, qwerty123, etc.

3.1.4. Passwords should not contain repetitive or sequential characters, such as aaa1234, or 123456.

3.1.5. Multi-factor authentication (MFA) is mandatory for all Users. For assistance setting up MFA please contact the Service Desk. (Strongly recommended, especially as more organizations synchronize passwords and use single-sign-on (SSO), easing access for users but making that single password more powerful should it be compromised.)

3.1.6. Passwords will NOT have to be changed on a regular basis, however, should a User suspect a password has been compromised, the User will immediately contact the Service Desk and change their password.