Password Management Policy

Created by
Last updated: 24 April 2025, 12:47

1. Purpose, scope and users

1.1. Purpose

A password policy is a necessity in information systems security. A properly created password significantly increases the security of a system.

The purpose of this document is:

  • To define a clear Password Management Policy standard for creating, protecting and updating strong passwords for all internal and external supported systems.

  • To define a list of all third-party services that should be synchronised with the Password Management Policy.

  • To define rules to ensure secure password management and the secure use of passwords throughout the organisation.

  • To define criteria for critical services that should be protected by Two-Factor-Authentication (2FA).

1.2. Scope

This policy applies to Tollring's information security and personal data processing activities in alignment with its Information Security Management System (ISMS).

1.3. Users

All Tollring employees.

2. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3

  • ISO/IEC 27001:2022 standard, controls A 5.16, A 5.17

  • EU GDPR Article 32

  • Integrated ISMS and QMS Manual

  • Information Security Policy

  • NIST Special Publication 800-63B, section 5.1.1

3. Responsibilities

  • All of the organisation’s employees are responsible for ensuring that this policy is complied with.

  • All of the organisation’s employees are responsible for maintaining password security in accordance with this policy in all of their activities carried out on behalf of the organisation.

  • Any employee who has temporary or permanent knowledge or use of a password related to any part of the IT system for which they do not normally have access, should identify this to the IT Support Team immediately so that the situation can be rectified. Any deliberate or negligent breach of this rule has a high probability of being regarded as gross misconduct and may result in immediate dismissal.

4. Third-party services

The following list of services should apply Tollring’s Password Management Policy:

Software

Data Classification

Criticality

Protection

Office365

Confidential

Critical

SSO

Atlassian

Confidential

Critical

SSO

AWS

Confidential

Critical

2FA

Azure

Confidential

Critical

2FA

Zoho

Confidential

Critical

2FA

  • Third-party services supporting Web SSO configuration should be integrated with Tollring’s ADFS infrastructure so that the policy will apply automatically.

  • The third-party services that do not support SSO / Web SSO integration with Tollring’s ADFS infrastructure should be configured according to this Password Management Policy.

4.1. Criteria for critical third-party services

All third-party services are considered critical and protected by 2FA.

5. Policy rules

The policy rules below ensure three levels of password protection: Network Access, Application Access and Document Access.

  • All system-level default administration accounts (for example: root, network administrator, local administrator and application administrator) should be disabled (not in use). Alternative accounts with pseudo administrative privileges should be created for users needing privileged access.

  • Passwords should not be shared with anyone.

  • Passwords must remain confidential at all times and should not be shared or transmitted through insecure communication channels such as email or instant messaging.

  • Passwords should be stored in an encrypted or hashed manner with appropriate algorithms (AES-256, SHA-256).

  • Where applicable, passwords should be created using the strongest character limits supported by the platform to enhance resistance to brute-force attacks.

  • The use of a single password across multiple systems or applications is strictly prohibited.

5.1. Initial password creation and distribution

Passwords should be generated according to the rules in the User password guidelines section in this document.

Newly created passwords should be communicated to the user via separate emails and SMS messages, and when required, via the line manager.

  • Initial passwords are set by a System Administrator. These must be changed by individual users and kept private.

  • Initial passwords are set to expire after a set time period (for example: 72 hours) to help mitigate any risk.

5.2. User password guidelines

  • Tollring follows the password standards set out in NIST Special Publication 800-63B, section 5.1.1.

  • Passwords should be between 8 to 64 characters utilizing self-imposed password complexity.

  • There is no enforced maximum password age or requirement to periodically update a password, however, passwords must be changed if there is evidence of compromise.

  • The minimum password age should be set to 1 day.

  • Password complexity - A mix of characters should be used from 3 out of the following 4 groups -

    • English uppercase characters (A...Z)

    • English lowercase characters (a…z)

    • Base 10 digits (0…9)

    • Non-alphanumeric characters which include:

      • !  “ $ % ^ &  * ( )  - _ = +  [  ] { } ; :  ‘ @ # ~  , < . > / ?  \ |

      • (but do not include: £, € or a SPACE).

  • Passwords should be unique for every account.

  • Passwords must not be composed entirely of repetitive or sequential characters like, “aaaaa” or “12345”.

  • Passwords cannot contain contextual information such as all or part of the user’s name or job function or any term (such as birthday, partner’s name or street address) that could be easily guessed or researched.

  • “Enforce password history” should be set to “22” which prevents a password from being re-used until 22 password changes have been made.

  • “Store password using reversible encryption” should be set to “Disable”.

  • Simple substitutions (such as 1 for i, 0 for O, 5 for s etc.) in recognisable words such as those found in a dictionary, should not be relied upon as they offer no real protection.

  • Commonly used or easy-to-guess combinations or series... must not be used.

5.3. Network infrastructure device passwords

This policy applies to:

  • Network managed switches

  • Routers

  • Firewall devices

  • Wi-Fi routers

  • Wi-Fi access points

  • Video/Phone conferencing services

  • Internet of Things (IoT) devices

5.4. Printer passwords

  • The default password for admin accounts for all printers is set and controlled by the Infrastructure Team.

6. User obligations for password protection

  • Do not share your password with anyone or hint at the format of the password (for example, “my family name”).

  • Do not reveal your passwords over the phone to anyone (not to family or co-workers).

  • Do not reveal your passwords through an email or instant message to anyone.

  • Do not reveal your passwords to management unless an exceptional situation arises.

  • Do not reveal your passwords on questionnaires or security forms.

  • Do not use the “Remember Password” feature offered by applications.

  • Do not write passwords down and store them anywhere in the office.

  • Do not use the same password for multiple administrator accounts.

If someone demands a password, the Password Management Policy must be invoked and the demand refused. The IT Support Team should also be contacted immediately: itsupport@Tollring.com.

7. User obligations for password management

While allocating and using user passwords, the following rules must be acknowledged and followed:

  • By completing ISO/Security awareness training, users accept the obligation to keep passwords confidential.

  • Each user may use only his/her own uniquely allocated username.

  • Each user must have the option to choose his/her own password.

  • Passwords are required to meet strength requirements and must be kept confidential at all times.

  • Temporary passwords are issued securely and are intended for one-time use only. User identity is verified prior to issuance.

  • The user must confirm the receipt of a password by e-mail.

  • Passwords must not be visible on the screen during log-on.

  • Account lockout mechanisms are in place to protect against repeated failed login attempts.

8. Password precautions

All relevant employees of the organisation are made aware of the following rules, requirements and guidelines with regard to all passwords and PINs for accessing doors, etc.:

  • Always follow the rules for strong passwords every time one is created or changed.

  • Protect passwords by making sure nobody is looking over your shoulder when you enter them.

  • Do not say your password out loud or hint at how you constructed it. Do not e-mail or write down your password. Do not reveal them anyone, not even colleagues or supervisors. It should be kept strictly private.

  • Do not keep a note of your password online or anywhere around your workplace.

  • Be aware of social engineering. This is when a potential intruder will attempt to get you to reveal a password by pretending, for instance, to need urgent help getting into the system. If you have access credentials to third-party systems, exercise heightened security awareness.

9. Non-conformance

Staff must abide by all policies. Any employee found to have violated any policy may be subject to disciplinary action which could result in the termination of employment.

10. Document management

The owner of this document is the ISMS Team who must check and, if necessary, update the document at least once a year.

REVIEW CYCLE: At least annually and as needed

REVIEW, APPROVAL, AND CHANGE HISTORY: The last review and approval were conducted in January 2025 by the ISMS Team.