This standard covers the minimum password requirements for all electronic devices owned or leased by A-Z Bus Sales that can be protected by a password.
To ensure that all electronic devices are secured by a password of a certain complexity, and to ensure that more sensitive devices require more complicated passwords.
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters, be at least 10 characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. Network passwords expire every 60 days unless there is an indication that the account has been compromised. IT reserves the right to manually expire the password for an account that appears to be compromised and will notify the user should their password be expired. When a network password is changed, the new password used must not be any of the passwords you have used within the previous 356 days.
All passwords for accounts, which have additional privileges beyond a normal user must be at least twelve characters long and contain at least three of the character classes (see Definitions section below). All privileged passwords are required to be changed every 60 days. No privileged passwords can be based on a word that is found in a dictionary. When a privileged password is changed, it cannot be set to its previous value. Privileged passwords cannot be provided to employees. Examples of privileged passwords include root, super user, and administrator passwords for servers, databases, infrastructure devices, and other systems.
All passwords used to access resources in the High Security environment are considered above this level and are thus held to even higher standards (see High Security Accounts section of this policy).
Privileged passwords also include application accounts that provide rights beyond those of a typical user.
If a user is unsure if a given account is privileged, they must assume that it is.
All devices, which do not use the network to authenticate users, must follow the same password standards as listed under network passwords. Operating systems, which store password history, must store the previous 10 passwords. Operating systems, which do not store password history, must ensure that the new password is different from the previous password.
Users of mobile devices used to access A-Z Bus Sales email or other A-Z Bus Sales resources must ensure that the mobile device locks automatically and has a strong passcode.
Acceptable mobile passwords must consist of one of the following. Passwords or passcodes that do not meet these requirements cannot be used.
Alphanumeric Code (minimum 6 characters)
Numeric Code (minimum 4 digits)
Fingerprint Scanner
Facial Recognition
Device must be set to automatically lock out access to the mobile device after ten incorrect passwords.
Mobile devices that cannot be configured with a password will not be allowed to access A-Z Bus Sales email or A-Z Bus Sales resources.
If a mobile device that does not meet these standards must be connected to A-Z Bus Sales email or other A-Z Bus Sales resources, the end user must consult with the IT Department at Support@a-zbus.com to discuss the situation.
The IT Department will advise the end user on the type of password that should be used.
All passwords used to allow servers to communicate with one another in an automated fashion require stronger passwords as they are infrequently changed. They must be at least 10 characters long and contain at least two characters from each of the four-character classes. Service passwords cannot be provided to employees. Service account passwords must be changed whenever the administrator responsible for the account leaves the organization or changes roles.
All passwords used on systems that store, transmit or process A-Z Bus Sales Protected Data, per the Data Classification Policy will conform to the following password requirements in addition to the Privileged Password requirements:
Avoid using dictionary words, people’s names, usernames, special dates, or number sequences that can be easily guessed.
The password will be changed every 90 days or if there is any suspicion the password could be compromised.
New passwords may not be the same as the last four passwords.
Accounts will be locked out for thirty minutes after several failed login attempts.
First time passwords will be set to a unique value for each user. Passwords will be set to change immediately after first use.
Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Increasingly, passwords are the weak link in protecting information and accounts. In addition to following the Password Standard, adding another layer of protection to accounts with 2-step/multi-Factor authentication where available provides extra protection. This is an emerging requirement for accounts that provide access to restricted data and for privileged accounts and is required for access to the Network which is only accessible using our VPN.
Passwords managers help generate unique and strong passwords, store them in one safe (encrypted) place, and use them while only needing to remember one master password. The company supports the use of LastPass as a password manager and is approved for storing A-Z Bus Sales passwords. A-Z Bus Sales prohibits sharing personal passwords with anyone, including administrative assistants. Necessary exceptions may be allowed with the written consent of the IT Department and must have a primary responsible contact person. Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords. Internal sharing of administrative accounts must be used in the business or team edition of LastPass.
Employees of A-Z Bus Sale are prohibited from storing passwords in files on their PC, company servers, cloud accounts or on display, such a labels or sticky notes. Any file used to store passwords must be encrypted and approved by the IT Manager before use. Any files found on the network containing passwords will be removed and the user notified within 24 hours.
Character Classes – There are four-character classes available. The four classes are numbers, lowercase letters, uppercase letters, and special characters. Special characters are those characters that can be typed on a computer that do not fall into one of the other three classes.
Exception Example - If a system treats uppercase and lowercase characters as the same, and does not accept special characters, it is impossible to create a privileged password using our standards. In this case, the password would have a length of eight characters (matching the standard) and would contain both characters and numbers.
Multi-Factor Authentication (MFA) - a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transactions typically using a PIN, a one-time password (OTP) sent to the requester's phone or email address, a digital certificate, a fingerprint, or hardware token.