Password Policy

Breakout Learning Inc.

Purpose

This policy outlines the procedure for selecting and securely managing passwords at Breakout Learning Inc.

Scope

This policy applies to all Breakout Learning Inc employees, contractors, and any personnel who have an account on any system that resides at any company facility or has access to the company network.

Roles and Responsibilities

• Chief Information Security Officer (CISO):
  • Overall Responsibility: The CISO is responsible for the implementation and enforcement of this Password Policy.
  • Policy Oversight: Ensures that the Password Policy remains comprehensive, up-to-date, and aligned with industry best practices.
  • Communication and Training: Oversees communication and training initiatives to educate employees on password security and the organization's policy.
  • Policy Enforcement: Monitors and enforces compliance with the Password Policy to ensure consistent security measures across the organization.

Policy

• Password Compromise:
  If a password is suspected of being compromised, it must be rotated immediately, and the Security Officer must be notified.
• Common Password List:
  A list of commonly-used, expected, or compromised passwords is maintained by a designated official and updated annually.

Password Requirements/Authentication Protocol

• Complex passwords should be used when necessary, including 1+ uppercase letter(s), 1+ lowercase letter(s), and 1+ non-alphanumeric character(s).
• Passwords must be at least 12 characters in length, with no maximum length restrictions.
• For systems that block common passwords using a deny list, passwords may be at least 8 characters.
• Passwords must not be reused or based on dictionary words or predictable patterns.
• Do not use the same passwords across different services or systems.

MFA Requirements

• Multi-Factor Authentication (MFA) must be enabled for any and all systems that support it.

Password Distribution

• Initial passwords provided to users must be unique, temporary, secure, and delivered through a secure channel. Users must acknowledge receipt and change the password upon first use.
• Temporary passwords must be non-guessable and unique for each user. Compromised usernames and password combinations must not be used.
• The identity of users must be verified before providing new, replacement, or temporary authentication information. Temporary authentication information must be transmitted through secure channels.

Password Support for Users

Breakout Learning Inc facilitates the generation of secure passwords for work accounts by:

• Educating users about avoiding common or predictable passwords.
• Advocating for the use of longer passwords and multiple words (e.g., using three random words).
• Providing secure password storage using 1Password.
• Avoiding regular password expiration and unnecessary complexity requirements where possible.

Password Protection

• All passwords must be treated as confidential. Sharing of passwords is strictly prohibited.
• Do not store passwords in insecure locations (e.g., emails, electronic notes, or mobile devices). Use 1Password to securely store passwords.
• If you must share access, use 1Password or a single sign-on (SSO) solution.
• If a password is compromised, it must be rotated immediately, and the Security Officer must be notified.
• Passwords stored in systems must be salted and hashed using a secure, one-way hash (e.g., pbkdf2, bcrypt, scrypt) with HMAC-SHA256.

Enforcement

• Employees or contractors found in violation of this policy may be subject to disciplinary action.

Revision History