Password Policy

This policy is designed to ensure that all employees use strong, secure passwords and that sensitive information is protected from unauthorized access.

1. Purpose

The purpose of this Password Policy is to establish guidelines for creating, managing, and securing passwords used by Eververse employees to access company systems, data, and third-party services. This policy ensures that passwords provide an appropriate level of security, reducing the risk of unauthorized access to sensitive information.

2. Scope

This policy applies to all employees, contractors, and third-party users who access Eververse systems and services. All employees are required to use 1Password for password management and comply with the following password requirements.

3. Password Requirements

3.1 Minimum and Maximum Length

  • Minimum Length: Passwords must be at least 8 characters in length.
  • Maximum Length: Passwords must not exceed 64 characters.

3.2 Character Composition

Passwords must contain at least 3 of the following 4 character types:

  • Uppercase letters (A-Z)
  • Lowercase letters (a-z)
  • Special characters (e.g., !@#$%^&*)
  • Numbers (0-9)

3.3 Personal Data Restriction

  • Passwords must not contain any personal information, such as Social Security numbers, addresses, birthdays, or other identifying personal data.

3.4 Password Hints and Knowledge-Based Authentication

  • Password Hints: Password hints are not allowed under any circumstances.
  • Knowledge-Based Authentication (KBA): KBA that allows users to pick from pre-set questions (e.g., "What is your pet's name?") to verify their identity is prohibited.

3.5 Password Expiration

  • Eververse does not enforce password expiration for users. Employees are encouraged to update their passwords only when they suspect compromise or when prompted by security protocols.

4. Multi-Factor Authentication (MFA)

  • All employees must enable Multi-Factor Authentication (MFA) wherever possible to secure their accounts.
  • SMS-based MFA should be avoided whenever possible due to the security risks associated with SMS interception. Employees should use app-based MFA solutions such as 1Password, Authenticator apps, or Hardware Security Keys (e.g., YubiKey) instead.

5. Account Lockout

  • Systems must be configured to lock user accounts after multiple failed login attempts to prevent brute force attacks.
  • Where possible, account lockout policies should be enforced after 5 failed login attempts, requiring administrative intervention or a cool-down period before additional login attempts are allowed.

6. Responsibilities

  • Employees are responsible for creating strong, compliant passwords and using 1Password to securely store and manage them.
  • IT and Security Teams are responsible for enforcing password requirements, managing 1Password access, and configuring MFA and account lockout settings.
  • CISO oversees the implementation of this policy and ensures compliance through regular security audits.

7. Enforcement

Any employee found violating this password policy may face disciplinary actions, including loss of system access, retraining, or other appropriate measures.

8. Review and Updates

This Password Policy will be reviewed annually or as necessary to adapt to changes in security threats or organizational needs.

9. Contact Information

For any questions or clarifications regarding this Password Policy, please contact us.

Get started for free

Explore problems, ideate solutions, prioritize features and plan your roadmap with the help of AI.

Get started for free
Eververse

Eververse

© Eververse 2024. All rights reserved.

HomeBlogPricingContactLegal
All systems normal