Password Policy

squishable_logo

Last Modified: 2019-10-09

Password Policy:

Squishable employees routinely access a variety of IT resources, including numerous hardware devices, software packages, and websites. Employees who have access to any of those resources are responsible for choosing strong passwords and protecting their log-in information

from unauthorized people.

The purpose of this policy is to make sure all Squishable resources and data receive adequate password protection. This policy covers all employees who are responsible for one or more accounts or have access to any resource that requires a password.

LastPass Password Manager:

Squishable uses a password management software package, LastPass, to help ensure appropriate system access and to allow employees to manage many passwords. LastPass allows users to store, generate, and update passwords. It also allows the secure sharing of

other data among system users. Any shared squishable system logins are managed and shared using LastPass, allowing multiple users to access login information without transmitting or storing passwords in an unsecure manner. All Squishable-related, shared or non-shared logins

must be managed through LastPass. Employees are prohibited from emailing or writing down shared or personal passwords.

Master passwords for LastPass must be unique. Employees cannot reuse passwords used for other accounts as master password for LastPass.

Password creation:

All passwords should be reasonably complex and difficult for unauthorized people to guess. Employees should choose passwords that are at least eight characters long and contain some combination of upper- and lower-case letters, numbers, and punctuation marks, or other special characters. These requirements will be enforced with software when possible.
Passwords must not include the company name, employee name, logins, or email addresses, and must avoid basic combinations that are easy to crack. For instance, avoid choices such as “squishable11,” “Squ1shabl3,” “password,” “password1” and “Pa$$w0rd,” as these are equally bad from a security perspective.
Employees must choose unique passwords for all their company accounts and should avoid using passwords that they are already using for a personal account. Employees are encouraged to use the “Generate Password” feature in the LastPass password management software to generate random and complex passwords.
All passwords must be changed regularly, with the frequency varying based on the sensitivity of the account in question. This requirement will be enforced using software when possible.
If the security of a password is in doubt — for example, if it appears that an unauthorized person has logged in to the account — the password must be changed immediately.
Default passwords — such as those created for new employees when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.

Protecting Passwords

In addition to using our password management software, LastPass, employees should follow the following guidelines to ensure information security:

Employees may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
Employees should be aware of and take precautions against the increasing threat posed by phishing scams and other attempts by hackers to steal passwords and other sensitive information. If an employee is contacted by any individual (even if they appear to be an internal staff member, vendor, or customer) seeking access sensitive information (i.e., passwords, bank information, Social Security Numbers, etc.), the employee needs to contact that individual by phone or in person. Email, text, or chat requests are insufficient to determine the identity of the requestor. Employees should alert their manager they believe they have received fraudulent request.
Employees must refrain from writing passwords down and keeping them at their workstations.
The use of other password management software packages, apps, or browser features to store or manage squishable passwords is prohibited. This includes browser-based password autofill features and Apple's keychain.

Other System Access Policies

Employees must enable the system feature requiring password entry to wake the device from sleep mode. For Windows this is known as the “Require a password on wakeup” feature. For Macs “Require password... after sleep or screen saver begins.”
Any devices used to access Squishable accounts (i.e., home computer, smart phone, tablet, etc.) must be password protected.