iQuda IT Password Policy
Date of this version: 06/10/2016
Passwords are the key to any network. Just one insecure password could enable anyone to log on to iQuda Ltd’s network. Bad passwords are just as bad as no passwords at all. Passwords traverse networks on an almost constant basis, and all it takes is a well-placed eavesdropping program to gather most passwords in a matter of minutes.
All Internet related equipment, including but not limited to computer equipment, software, storage media, electronic mail, and Internet connections remain the property of iQuda Ltd. These systems are to be used for business purposes and in the course of normal daily operations. It is in iQuda Ltd’s best interest to make sure that these resources are protected and used appropriately. Where appropriate it is in iQuda Ltd’s best interest that access is restricted to those individuals whose job function relies upon access. Where possible, access is restricted only to the relevant persons.
The purpose of this policy is to outline the password policy at iQuda Ltd. These rules are in place to protect the user, our clients and iQuda Ltd as a whole. Inappropriate use exposes iQuda Ltd to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy applies to employees, visitors, contractors, consultants, temporaries and other workers at iQuda Ltd, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by iQuda Ltd. This policy applies to all equipment that has access to iQuda Ltd’s network either locally or via remote connections.
Every individual should have a unique logon ID and a strong password associated with each logon ID. This is so that any action on the network can be attributed to an individual and appropriate resources can be made available to the individual. There will be very exceptional circumstances where a group shares a logon ID (please see the section on group passwords).
Each person should have a strong password in order to keep unauthorised users from guessing their password and accessing the network in their name.
A strong password will follow these guidelines:
- Passwords should not be easily guessable or be found in a dictionary.
- Use a nonsensical combination of letters: The best passwords will be nonsensical. For example, if you use a memorable phrase such as a statement e.g. “Daisy is my favourite pet dog in the world”, the result could produce: “dimfpditw”. This is a good password (and the phrase is easy is remember), but see the next bullet to make it even more difficult.
- Include a mix of UPPER and lower case letters: You should include an uppercase letter somewhere other than at the beginning. The result could produce: “DiMFPDitw”
- Include numbers and/or special characters such as!”£$%^&*()_+@’: Because the letter l looks like a number one, you could use a one instead of that letter. Because the special characters ^^ look like the letter M, you could use that instead. Your password then becomes: D1^^FPD17w.
- Numbers and special characters are best used towards the beginning of the password.
- Longer passwords are better: Your password must be at least 6 characters in length but 8, 9, or 10 would be better!
- Your password must be changed every 60 days.
- Your password must be new; you can’t reuse old ones.
- Don’t use a set of characters straight off the keyboard: You should never use qwerty, 12345678, or asdfghj for passwords. Even though they look nonsensical, they follow a distinct pattern of consecutive keys on the keyboard and password crackers will break them in seconds.
- Treat your passwords as top secret information: All passwords should be protected and not shared! If they must be written down (and this is only in very exceptional circumstances) they must be locked away.
- Never let anyone know your password (including system administrators). A system administrator can reset your password if work needs to be done on your account.
- Password hints should not be used.
- If you accidentally share your password with anyone else, you should notify your line manager immediately.
In very exceptional cases a group of users will share a logon ID and password. In these cases iQuda Ltd will set and change the password (based on the guidelines above). A nominated list of individuals will be informed of the new password. It will be the responsibility of the nominated individuals to inform authorised members of the group of any password changes. These passwords must still be treated as top secret.
Any employee found to have violated this policy will be subject to disciplinary action, up to and including termination of contract.