This policy was last reviewed July 21 2023.
1. Purpose
This policy describes Peerceptiv’s requirements for acceptable password selection and maintenance. It provides guidance on creating and using passwords in ways that maximize security of the password and minimize misuse or theft of the password. Passwords are the most frequently utilized form of authentication for accessing a computing resource. Due to the use of weak passwords, the proliferation of automated password-cracking programs, and the activity of malicious hackers and spammers, they are very often also the weakest link in securing data. Passwords must, therefore, follow the policy guidelines listed below.
2. Scope
This policy applies to all Peerceptiv staff that have a username and password to at least one company system or application, independent of whether they are an end user, administrator, or developer for that system or application.
3. Maintenance
This Policy will be reviewed annually or as deemed appropriate based on changes in technology or regulatory requirements.
4. Enforcement
Violations of this Policy may result in suspension or loss of the violator’s use privileges, with respect to Peerceptiv Information Systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the Company. Civil, criminal and equitable remedies may apply.
5. Exceptions
Exceptions to this Policy must be approved by the Chief Technology Officer (“CTO”) and formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness with all exceptions reviewed at least annually.
6. Policy
All passwords should be strong passwords and should follow the guidelines below. In general, a password’s strength will increase with length, complexity and frequency of changes. Greater risks require a heightened level of protection. Stronger passwords augmented with alternate security measures such as multi-factor authentication should be used in all possible situations. All Peerceptiv employees are expected to set a good example through a consistent practice of sound security procedures.
- All passwords must meet the following guidelines, except where technically infeasible:
- Must contain at least eight (8) alphanumeric characters.
- At least one (1) alphabetic character must be upper-case and at least one (1) must be lower-case.
- Must contain at least one numerical character
- Must contain at least one symbol
- Passwords cannot consist of a single word in any dictionary, language, slang, dialect, jargon, etc.
- Passwords cannot consist of easily guessed or obtained personal information, names of family members, pets, etc
- To help prevent identity theft, personal or fiscally useful information such as Social Security or credit card numbers must never be used as a user ID or a password.
- Passwords should never be written down or stored online unless adequately secured.
- Passwords should not be inserted into email messages or other forms of electronic communication.
- The same password should not be used for different accounts
- Passwords should not be shared with anyone. Necessary exceptions may be allowed with the written consent of Peerceptiv management. Shared passwords used to access common resources that cannot support uniquely provisioned accounts require a designated individual to be responsible for the maintenance of those passwords, and that individual will ensure that only appropriately authorized employees have access to the passwords.
- If a password is suspected of being compromised, it should be changed immediately and the incident reported.
- Peerceptiv systems MUST be designed to ensure passwords are never logged.