security-policies/policies/password-policy.md

26 lines
829 B
Markdown

# Password Policy
**Version:** 2.1 | **Owner:** Information Security | **Classification:** Internal
## Requirements
- Minimum length: 14 characters
- Must include: uppercase, lowercase, digits, special characters
- No reuse of last 12 passwords
- Maximum age: 60 days for privileged accounts, 180 days for standard
- MFA required for all admin and remote access accounts
## Password managers
Use the company-approved password manager (1Password Teams).
Personal vaults must not store Nexus credentials.
## Enforcement
Non-compliance results in account lockout after 5 failed attempts.
Locked accounts require IT helpdesk intervention.
## Hardware tokens
For production system access, hardware security keys (YubiKey 5) are preferred over TOTP.
Contact IT to request a YubiKey. Replacement: maximum once per 2 years.