Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Password Policy

Seeded from legacy Allied Information Security Policy (passwords + MFA). Content carried over for review. Password manager standard is named (LastPass) but may have changed; passphrase guidance and modern NIST/NCSC composition rules should be revisited.

Purpose

To establish requirements for passwords and other authentication secrets used to access Allied systems.

Scope

Applies to all credentials used by staff, contractors, and services to access Allied systems.

Roles and responsibilities

RoleResponsibility
TBD (policy owner)Maintains password and authentication standards
All staffComply with password requirements

Password requirements

  • Passwords must not be re-used. A password manager can be used to help with this task. (Legacy: all employees provided with a LastPass subscription — verify current standard.)
  • Always use strong and unique passwords and wherever possible make use of the password generator function provided in the password manager to generate passwords that meet these criteria.
  • Passwords must be at least 12 characters long and difficult to guess.
  • Default passwords for accounts must be changed on first use.
  • If you suspect either your own or others' passwords have been compromised, you should reset your password(s) immediately and warn others to do the same as soon as practically possible, including via the Allied security Slack channel.
  • Where system permissions allow, we may enforce an organisation-wide password reset via the administrator account.

Multi-factor authentication

To strengthen our defences against common threats like phishing and unauthorised access, it is mandatory for all employees to use Multi-Factor Authentication (MFA) wherever possible. MFA enhances security by requiring multiple forms of verification before granting access, such as something you know (a password) and something you have (a code sent to your mobile device). This additional layer significantly reduces the risk of unauthorised access, even if your password is compromised.

Please enable MFA on all supported accounts and devices, and reach out to the security officer for assistance if needed.

Policy statements

TBD — gap analysis to add: secret rotation cadence, prohibition on shared accounts, hardware tokens for high-privilege accounts, password manager standard for the org, treatment of API keys and other non-human credentials.