Doc owner: TBD
Password Policy
Seeded from legacy Allied Information Security Policy (passwords + MFA). Content carried over for review. Password manager standard is named (LastPass) but may have changed; passphrase guidance and modern NIST/NCSC composition rules should be revisited.
Purpose
To establish requirements for passwords and other authentication secrets used to access Allied systems.
Scope
Applies to all credentials used by staff, contractors, and services to access Allied systems.
Roles and responsibilities
| Role | Responsibility |
|---|---|
| TBD (policy owner) | Maintains password and authentication standards |
| All staff | Comply with password requirements |
Password requirements
- Passwords must not be re-used. A password manager can be used to help with this task. (Legacy: all employees provided with a LastPass subscription — verify current standard.)
- Always use strong and unique passwords and wherever possible make use of the password generator function provided in the password manager to generate passwords that meet these criteria.
- Passwords must be at least 12 characters long and difficult to guess.
- Default passwords for accounts must be changed on first use.
- If you suspect either your own or others' passwords have been compromised, you should reset your password(s) immediately and warn others to do the same as soon as practically possible, including via the Allied security Slack channel.
- Where system permissions allow, we may enforce an organisation-wide password reset via the administrator account.
Multi-factor authentication
To strengthen our defences against common threats like phishing and unauthorised access, it is mandatory for all employees to use Multi-Factor Authentication (MFA) wherever possible. MFA enhances security by requiring multiple forms of verification before granting access, such as something you know (a password) and something you have (a code sent to your mobile device). This additional layer significantly reduces the risk of unauthorised access, even if your password is compromised.
Please enable MFA on all supported accounts and devices, and reach out to the security officer for assistance if needed.
Policy statements
TBD — gap analysis to add: secret rotation cadence, prohibition on shared accounts, hardware tokens for high-privilege accounts, password manager standard for the org, treatment of API keys and other non-human credentials.
Related
- POL-DIG-002 Access Control Policy
- ISO 27001:2022 Annex A.5.17, A.8.5