PINs, Passcodes and Passwords
Policy
Strong passwords should be used for access to any company accounts and services. Passwords that must be memorized should be a series of several random words, generated using a password manager's "Memorable Password" option. Passwords that are not memorized must be stored with a password manager using the "Random Password" option with a minimum of 16 characters.
Scope
This policy applies to all Lullabot employees and contractors.
Compliance
All employees and contractors are expected to create strong passwords for access to all Lullabot and client accounts.
Explanation and Implementation
The first layer of defense that we have for our online accounts is the PIN, passcode, or password. As such, it is extremely important to use good, unique passwords, and keep them well protected. A good password is difficult for people to guess and machines to brute-force. Contrary to popular belief, the inclusion of numbers, characters, or mixed case does not matter nearly as much as the length of the password itself.
Because the human brain is not capable of remembering long random passwords, Lullabot provides access to a Password Manager.
It is important to make sure that you are not using the same password for multiple services or accounts. Consider the event that one of these sites has its security compromised, and your username and password are discovered. Now, how many other places use that same combination, or easy to guess variations? Password leaks happen, and it is important that we defend our accounts and information from them as best we can.
With the use of a password manager, you no longer need to memorize each password. Passwords will be filled automatically, or can be copied and pasted in. The length of a password is its primary strength. The longer it is, the stronger it is. While our policy states a minimum of 16 characters because some poorly designed systems do not allow for longer passwords, in most cases it is fine to go up to 20 or 30 characters long.
Finally, you should be wary of services that impose password limits, especially if they limit the length of the password to less than 16 characters. While services may impose a large limit on password length (such as 32 or 64 characters), limiting passwords to low lengths or limited characters indicates they are not storing passwords securely.