Password Policy

• Long passwords: minimum 14 characters, ideally three random words.
• Unique per account — no reuse across personal and work.
• Stored in the company-issued password manager, never in a spreadsheet, sticky note, or email.
• MFA required for every business account that supports it — especially Microsoft 365, Google Workspace, banking, and any admin tools.

• MFA is mandatory for all admin accounts.
• Use an authenticator app or hardware key — not SMS — wherever the system supports it. SMS is vulnerable to SIM-swap.
• Directors and finance staff are issued hardware security keys for highest-risk accounts.

• Every employee has a [password manager (e.g. 1Password / Bitwarden)] account.
• Shared credentials live in shared vaults — not in spreadsheets or emails.
• The password manager itself is protected with a strong passphrase plus MFA or a hardware key.

• Password resets are not processed over the phone or by email request alone. The requester is verified via a second channel.
• Password reset links and codes expire within 15 minutes.
• If you suspect a password may have been compromised, change it from a clean device and tell [Named Manager].

Passwords are not forced to expire on a schedule. They are changed when:

• The account has been compromised (or may have been).
• The password has appeared in a known breach (we check via Have I Been Pwned).
• An employee who knew a shared password has left.

Shared accounts are discouraged. Where one exists, it lives only in the password manager's shared vault, with named owners and a rotation schedule.

Reviewed annually. Last reviewed: [date].