[Organisation] · Password & Authentication Policy
Version 1.0 · Owner: [Role] · Approved: [Date] · Classification: Internal
Purpose
To set minimum standards for authentication that reduce the risk of account compromise.
Scope
Applies to all accounts on [Organisation] systems and applications.
Policy statements
- Passwords are a minimum of [12] characters; length is prioritised over forced complexity.
- Passwords are screened against known-breached password lists where technically feasible.
- Multi-factor authentication is mandatory for remote access, email, and all privileged and administrative accounts.
- Passwords are never shared, reused across systems, or stored in plaintext.
- Default and vendor-supplied credentials are changed before a system goes live.
- Failed-login lockout and session-timeout controls are enforced.
Review
Reviewed annually against current authentication best practice.
Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.
