1. Purpose
The purpose of this Password Control Policy is to establish comprehensive guidelines and mandatory requirements for the creation, management, safeguarding, and use of passwords within Marfeel’s information systems. The objective is to ensure the confidentiality, integrity, and availability of Marfeel’s digital assets by mitigating risks associated with unauthorized access resulting from weak, compromised, or mismanaged credentials.
2. Scope
This Policy applies to all individuals who are granted access to Marfeel’s information systems, including but not limited to employees, contractors, consultants, temporary workers, third-party service providers, and any other authorized users who interact with systems, applications, databases, or networks owned, managed, or otherwise controlled by Marfeel.
3. Password Creation Requirements
All user-created passwords must adhere to a defined complexity standard. Passwords shall be a minimum of twelve (12) characters in length and contain at least one uppercase letter, one lowercase letter, one numeric digit, and one special character. Passwords must not include personal information (e.g., names, birthdays, or commonly used phrases) and must be unique to each system where authentication is required. Passphrases composed of unrelated words may be permitted if they meet entropy requirements.
4. Password Lifecycle Management
Passwords shall be changed at regular intervals not to exceed 180 days or immediately following suspicion or confirmation of compromise. Initial passwords provided to new users must be changed upon first login. Historical password reuse shall be restricted by retaining a minimum of the last five (5) previously used passwords. Users are strictly prohibited from using identical passwords across multiple systems within the organizational environment.
5. Password Storage Requirements
All stored passwords must be encrypted using industry-standard cryptographic algorithms, such as SHA-256 or bcrypt, with appropriate salting. Cleartext storage of passwords is categorically forbidden. Passwords stored within password management solutions must leverage secure vaulting mechanisms and adhere to access control policies.
6. Password Confidentiality and Sharing
Under no circumstances shall passwords be shared between individuals. Each user is individually accountable for actions taken under their assigned credentials. Shared or group accounts are prohibited unless explicitly authorized and controlled through compensating security measures. Any suspected compromise of credentials must be reported to the Information Security team without undue delay.
7. Password Transmission
Passwords must only be transmitted over encrypted channels utilizing protocols such as TLS 1.2 or higher. Emailing passwords, storing them in unencrypted documents, or transmitting them over unsecured communication channels (e.g., plain HTTP, SMS) is strictly prohibited.
8. Password Recovery and Reset Procedures
Password reset procedures shall incorporate identity verification mechanisms appropriate to the sensitivity of the associated account. Acceptable methods include multi-factor authentication, secure self-service portals, or manual identity confirmation by IT personnel. Recovery mechanisms must ensure auditability and protect against social engineering attacks.
9. Password Expiration and Renewal
Passwords shall expire in accordance with Marfeel’s risk-based access control framework, with forced rotation not exceeding 180 days for general accounts and 90 days for privileged or administrative accounts. Automated reminders shall notify users prior to expiration, and systems must enforce non-compliance lockouts in the event of expiration.
10. Account Lockout Policy
To mitigate brute-force attacks, user accounts shall be locked after a maximum of five (5) consecutive failed login attempts. Locked accounts may be restored only by authorized support personnel following user identity verification. Lockout events must be logged and monitored as part of incident detection activities.
11. Multi-Factor Authentication (MFA)
All systems supporting MFA must have it enabled for both internal and external access. MFA shall be mandatory for all administrative and high-privilege accounts, and for access to systems processing sensitive or regulated data. Acceptable MFA methods include one-time passwords (OTP), hardware tokens, and biometric authentication.
12. Awareness and Training
Marfeel shall conduct mandatory security awareness training programs for all personnel, which will include modules on secure password practices, password hygiene, and identification of phishing threats. Additional role-specific training shall be required for system administrators and users of privileged accounts.
13. Roles and Responsibilities
The Information Security team is responsible for defining and maintaining password security standards, monitoring compliance, and enforcing this policy. System owners must ensure technical implementation of password controls, and end-users are accountable for the secure handling of their credentials.
14. Policy Compliance and Enforcement
Any violation of this policy may result in disciplinary action, up to and including termination of employment or contractual relationship, as well as legal action where applicable. Periodic audits shall be conducted to assess compliance, and findings shall be reported to senior management.
15. Policy Review and Maintenance
This Password Control Policy shall be reviewed at least annually, or upon significant changes to regulatory requirements, security best practices, or internal IT infrastructure. Reviews shall be documented, and updates shall be communicated to all affected stakeholders.