Password Management Policy (A.9.4.3)

Objectives

  • All systems requiring authentication make use of good passwords as part of the authentication process.
  • All systems requiring authentication have a process to replace lost or stolen credentials.

Scope

Breezy’s Password Management Policy shall include the following:

Information Assets

All information assets (data) either owned by Breezy or entrusted to Breezy by a client under an agreement which specifically details Breezy’s data responsibility, and including but not limited to:

  • Information assets held, processed or stored at Amazon Web Service facilities under accounts owned by Breezy used to facilitate Breezy product offerings.

Supporting Assets

All supporting assets (non-data) which by direct or indirect association are an integral part of ensuring the confidentiality, integrity or availability of the information assets described in Section 2.1, including:

  • Hardware (including network infrastructure, laptop computers, desktop computers, storage infrastructure, and mobile devices)
  • Software (including operating systems, commercially available software applications and software applications developed internally by Breezy)
  • Data (including data encrypted with a password-protected key)

Policy

User Password Management

This section details the requirements for Breezy employees who are creating and managing passwords.

When using password-based authentication, keep the following goals in mind:

  • It should be difficult for anyone to guess your password, even if they know you
  • It should be difficult for an automated program to guess your password through “brute force”
  • Your passwords must be kept secret: sharing passwords lessens the security of an account

With those goals in mind, Breezy recommends, when possible, all passwords should be randomly generated by and stored in 1Password, Breezy’s password management tool of choice. Each password must be unique to the account. By randomly generating passwords for each site, it is effectively impossible for anyone to guess the password, so long as the password meets certain requirements.

For all passwords, Breezy requires the following:

  • Only share passwords when absolutely necessary. If possible, unique accounts should be used instead of sharing credentials. Passwords may only be shared through 1Password Vaults.
  • Passwords must be changed if there is a reasonable suspicion a system or account has been compromised.
  • Passwords must be stored by users in a secure fashion. Specifically, at minimum passwords must be encrypted in storage. Passwords must not be written down in plain view. Breezy provides 1Password access to all employees and recommends passwords be stored in it.

For randomly-generated passwords specifically, e.g. generated and stored via 1Password, we have the following additional requirements:

  • Passwords must be unique and never reused.
  • Passwords must be at least 20 characters long, or the maximum character count allowed by the system if less than 20 characters.
  • Passwords should use a mix of lowercase, uppercase, numbers, and special characters when allowed by the system. Since these passwords are stored in 1Password, they are not required to be memorable.

For passwords created by the user and memorized instead of being kept in a password manager, we have the following additional requirements:

  • Passwords must be unique and never reused.
  • Passwords should be changed annually at minimum. When changing passwords, do not use the original password as a basis for the new the password.
  • Passwords must not be a single dictionary word or proper noun.
  • Passwords must be at least 10 characters long, or the maximum character count allowed by the system if less than 10 characters. Keep in mind a shorter password is easier to guess.
  • Passwords should be memorable, but hard to guess by others. Consider:
  • using a unique statement, or a collection of 4 or more words separated by a non-alphanumeric character;
  • using 1Password’s password strength estimator to ensure passwords are high quality;
  • incorporating a mix of uppercase, lowercase, numbers, and special characters to increase resistance against both manual and automated guessing.

System Password Implementation

This section details the requirements for password-based authentication implementation by developers at Breezy.

This policy sets the following requirements for all software developed and maintained by Breezy:

  • Passwords used for user authentication must use a password hashing function to store a “fingerprint” of a user password for later verification instead of storing the password directly. Breezy uses Bcrypt as its password hashing function for the software it develops.
  • When a system needs access to the password itself, for example to interact with another system, the password must be encrypted in storage.
  • Passwords must be encrypted in transit.
  • If there is a reasonable suspicion a system has been compromised, all passwords must be forced to be reset.
  • When applicable, password reset links must have an expiration date.
  • When applicable, prefer non-memorized means of authentication, such as key-based authentication, over password-based authentication.

Lost/Stolen Credentials

For any Breezy internal or external system requiring authentication, follow this process if login credentials are lost, stolen, misplaced, or forgotten:

  1. Notify your immediate manager, or Engineering Manager if not available.
  2. Create an Information Security Incident Report

Responsibilities

All employees are responsible for maintaining good passwords and ensuring they are protected. Additionally, engineers are responsible for ensuring systems follow the system password implementation requirements.