Skip to main content

PasswordPolicy

Password Policy
Last updated: January 20, 2023

Introduction

  • Most systems authenticate their users by a username + password combination. The passwords used here are secrets and must be managed with care to ensure they do not create security risks.

Passwords are vulnerable

  • Using just passwords is one of the least secure ways of authenticating yourself. This is because you are also sharing your password with the service you access. Thus, passwords are shared secrets, and as such inherently vulnerable. Authentication methods that rely on shared secrets are less secure than ones that do not.
  • As a result, the best strategy is to minimize the use of passwords wherever possible. Please follow the below guidelines when authenticating yourself with various systems.
  1. Use a single-sign-on (SSO) mechanism to authenticate yourself wherever possible. This avoids the need to create new strong passwords. Please ensure that the password/authentication-mechanism to the SSO system is itself very secure.
  2. Use multi-factor-authentication (MFA) techniques to authenticate yourself wherever possible. This reduces the reliance on passwords, and adds an additional barrier even if the password were compromised.
  3. Unfortunately, password are still the most common and popular way to authenticate, and there will be scenarios where you will not be able to apply 1 or 2.

Password generation and strength

  1. Staff members should use complex passwords, wherever possible, for all of their accounts that have access to data that Zoracom should keep secure. A strong password should have at least 10-12 characters, and should be a randomly generated alphanumeric + special character based.
  2. Complex passwords can be achieved in a couple of ways:
  3. Staff members should not use reuse passwords that are or were used elsewhere, e.g., passwords used for personal accounts. A common way attackers obtain access to corporate resources is by using employees' personal passwords that were obtained in breaches of other services.
  4. To avoid creating and maintaining a large number of complex passwords, use "Login with Microsoft Office 365" or any other Auth provider wherever feasible.
  5. Enable multi-factor authentication in your accounts wherever it is available as a feature. For critical services, using multifactor authentication is mandatory.

Non compliance

  • Zoracom staff who violate this policy may face repercussions in proportion to the impact of their violation. Zoracom management will determine how serious a staff member's offense is and decide the appropriate penalty. Penalties may include
    1. Reprimand
    2. Demotion
    3. Detraction of benefits for a definite or indefinite time
    4. Suspension or termination for more serious offenses