# Password Policy **Version:** 2.1 | **Owner:** Information Security | **Classification:** Internal ## Requirements - Minimum length: 14 characters - Must include: uppercase, lowercase, digits, special characters - No reuse of last 12 passwords - Maximum age: 60 days for privileged accounts, 180 days for standard - MFA required for all admin and remote access accounts ## Password managers Use the company-approved password manager (1Password Teams). Personal vaults must not store Nexus credentials. ## Enforcement Non-compliance results in account lockout after 5 failed attempts. Locked accounts require IT helpdesk intervention. ## Hardware tokens For production system access, hardware security keys (YubiKey 5) are preferred over TOTP. Contact IT to request a YubiKey. Replacement: maximum once per 2 years.