McCorvey Companies Safe Password Policy
Last Updated: 7/23/2021
1. Policy Statement
1.1 - All individuals are responsible for safeguarding their login(s) and password(s) to any company related
system and must comply with the password standards identified in this policy. Passwords must meet the
complexity requirements outlined and must not be shared with or made available to anyone in any manner that
is not consistent with this policy and procedure.
2. Entities Affected by this Policy
2.1 - Any individual, system, or company that has access to any McCorvey Companies internal system or
Software as a Service (SaaS) application(s).
3. Contacts
3.1 - Direct any questions about this policy to [email protected]
4. Individual Responsibilities
4.1 Individuals are responsible for keeping passwords secure and confidential. As such, the following
principles must be adhered to for creating and safeguarding passwords:
4.1a
- Passwords must never be shared with another individual for any reason or in any manner not consistent
with this policy. A shared or compromised password can generate a written infraction.
- All users must never ask anyone else for their password. If you are asked to provide your password to an
individual or sign into a system and provide access to someone else under your login, you are obligated
to report this to IT immediately.
- Passwords must never be written down or left in a location easily accessible or visible to others. This
includes both paper and digital formats. Company passwords should not be stored in a web browser’s
password manager on a non McCorvey issued Device.
- Individuals must never leave themselves logged into an application or system where someone else can
unknowingly use their account.
- IT will never ask for a password, instead IT will ask you to enter your password for them. In certain
support scenarios where an administrative account cannot be used, an individual may allow a technician
to utilize his/her computer under the individual’s account even if the individual is unable to be
present during the entire support session.
- In the event of a hardware malfunction and the device needs to be repaired by a third-party, the device
hard drive should be backed up to a secure storage device and wiped securely prior to being handed over
to an external technician
- In the event that a password needs to be issued to a remote user or service provider, the password must
never be sent without the use of proper safeguards (e.g., do not send passwords through email without
encryption).
- Passwords for McCorvey Systems must be unique and different from passwords used for other personal
services (e.g., banking).
- Passwords must meet the complexity requirements outlined in this policy.
- Passwords must be changed regularly, as outlined in this policy, at the regularly scheduled time
interval or sooner if there is suspicion of a compromise.
- In the event a breach or compromise is suspected, the incident must be reported to IT immediately.
5. Password Requirements
5.1 - User Level Accounts
5.1a - The following parameters indicate the minimum requirements for passwords for all user level accounts.
User level accounts consist of McCorvey Companies staff (including temps and consultants) that are not Systems
Administrators.
- At least sixteen (16) characters;
- Not based on anything somebody else could easily guess or obtain using personal related information
(e.g., names, telephone numbers, dates of birth, etc.);
- Not vulnerable to a dictionary attack (see Recommendations for Creating Compliant Passwords section);
- A combination of at least one character from each of the following four listed character types:
- English uppercase letters (A-Z),
- English lowercase letters (a-z)
- Base 10 digits (0-9)
- Non-alphanumeric (such as
` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' <> ? , . / and space)
5.2 - System/Administrative Accounts
5.2a - The following parameters indicate the minimum requirements for passwords for all system/administrative
level accounts. System/administrative users consist of users with elevated access to administer information
systems and applications, most often in the Information Technology Department. Such users have administrator
access and these accounts are at a higher risk for compromise.
- At least thirty-two (32) characters;
- A Randomly generated combination of at least one character from each of the following four listed
character types:
- English uppercase letters (A-Z),
- English lowercase letters (a-z)
- Base 10 digits (0-9)
- Non-alphanumeric (such as
` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' <> ? , . / and space)
6. Recommendations for Creating Compliant Passwords
6.1 - To create a password that is compliant with the parameters specified in this policy, use one of the
three methods below.
6.1a Use a Passphrase
A passphrase is like a password, but it is generally longer and contains a sequence of words or other text to
make the passphrase more memorable. A longer passphrase that is combined with a variety of character types is
exponentially harder to breach than a shorter password. However, it is important to note that passphrases that
are based on commonly referenced quotes, lyrics, or other sayings are easily guessable. Passphrases should be
unique to you.
- Use at least sixteen (16) characters
- Incorporate the four-character types (a space or special character can be used to separate words or
phrases to add complexity)
- Use a phrase that is easy to remember
- Abbreviate most of the words in the phrase to increase complexity
Example:
Phrase: “When I was five, I learned how to ride a bike.”
Password: When I was 5, I learned to ride a bike.
6.1b Use an Acronym
An acronym can be used to constitute a strong and compliant password by taking the first letter of each word in
a phrase (including punctuation) to form the password.
- Incorporate the four-character types (forming your phrase in sentence case with punctuation can be used
to meet the requirements)
- Use a phrase that is easy to remember
Example:
Phrase: “When I was five, I learned how to ride a bike.”
Password: WIw5,Ilhwrab.
6.1c Use a Secret Code
A secret code can be used in conjunction with the previous methods simply by substituting letters for other
numbers or symbols. Combining these methods will make it easy to incorporate the four-character types to meet
the password complexity requirements.
- Use a phrase that is easy to remember
- Capitalize the first letter of every word
- Substitute letters for numbers or symbols
- Incorporate spaces or substitute with a different character
Example:
Phrase: “When I was five, I learned how to ride a bike.”
Password: WhenIwa$5,Ilh0wt0rab1k3.