Device Lock Screens

Policy

Device lock screens should be configured to prevent access by unauthorized users, or when lost or stolen.

Scope

This policy applies to all Lullabot employees and contractors.

Compliance

All Lullabot employees and contractors are required to protect all devices in their possession that have configurable locking options.

Explanation and Implementation

The pins or passwords used to unlock devices deserve special mention. They are literally the "keys to the kingdom", especially for mobile devices that are easily lost or stolen.

The password used to unlock a computer should be a strong, alphanumeric, password.

PINs on mobile devices should be at least 6 digits long. Given most devices have some sort of face or fingerprint unlock, consider using a longer PIN for increased security and resistance to shoulder-surfing. If you're worried about remembering a longer PIN, remember that most people can easily remember 7 or 10 digit phone numbers.

Some phones default to a simple 4-digit pin. That is too weak to be effective, so a longer, stronger pin should be used.

Use 1Password's "PIN" password type in its password generator to come up with a random, secure PIN.

On Android, do not use a pattern lock and create a longer PIN.

On iOS, go beyond the standard four-digit PIN by going into Settings >> Touch ID & Passcode >> Change Passcode. When setting the new passcode you will see a link called "Passcode Options". You can select that to choose either an alphanumeric passcode or a longer numeric passcode.

In addition, devices should be configured to lock automatically after a short period of inactivity, and they should be locked manually any time the owner walks away from them.