Print
Share page with AddThis

Password Protection Policy

  1. Overview

Passwords are an important aspect of computer security.  A poorly chosen password may result in unauthorized access and/or exploitation of our resources.  All staff, including contractors and vendors with access to City of Melrose systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. 

The City of Melrose IT (CoMIT) team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, business tool reports, internal and external audits, and feedback from employees.

 

  1. Purpose

The purpose of this policy is to establish a standard for creation of strong passwords and the protection of those passwords.

 

  1. Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any City of Melrose facility, has access to the City of Melrose network, or stores any non-public City of Melrose information. Furthermore, policy applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This policy applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins. The parameters in this policy are designed to comply with legal and regulatory standards, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS)

 

  1. Policy
    1. Password creation
      1. All user-level and system-level passwords must conform to the guidelines listed below.
      2. Users must use a separate, unique password for each of their work related accounts1.  Users may not use any work related passwords for their own, personal accounts. Personal account passwords of Melrose employees can and have been obtained from malicious sites to gain access to City accounts.
      3. User accounts that have system-level privileges granted through group memberships or programs such as IMC must have a unique password from all other accounts held by that user to access system-level privileges.  In addition, it is highly recommended that some form of multi-factor authentication is used for any privileged accounts
      4. Passwords in the City of Melrose will conform to the following requirements at a minimum:
        1. Nine characters;
        2. Contain a number;
        3. Contain a non-alphanumeric character (e.g., “@”, “#”, “&”);
        4. Contain an upper case letter;
        5. Contain a lower case letter;
        6. Strong passwords are long; the more characters you have the stronger the password. We recommend a minimum of 14 characters in your password.  In addition, we highly encourage the use of passphrases, passwords made up of multiple words.  Examples include “It’s time for vacation” or “Mydirtylaundryday@2”. 
        • Passphrases are both easy to remember and type, yet meet the strength requirements.  Poor, or weak, passwords have the following characteristics:
          • Contain eight characters or less.
          • Contain personal information such as:
            • birthdates
            • addresses
            • phone numbers
            • names of family members
            • names of pets
            • names of friends
            • names of fantasy characters
            • license plate numbers
            • social security numbers
          • A single dictionary word such as, “Password”, “Montreal”, “secret”
          • Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
          • Are some version of “Welcome123” “Password123” “Changeme123”
          • Passwords that are so complex that they need to be written down on a sticky note, pinned to a bulletin board or written down on paper and slid under your keyboard.

      5. Every work account should have a different, unique password. If you use a password for an internal systems, do not use that same password for anything else.

        Note: To enable users to maintain multiple passwords, we highly encourage the use of ‘password manager’ software that is authorized and provided by the organization.  Whenever possible, also enable the use of multi-factor authentication.
    2. Password change
      1. Passwords should be changed every 6 months
      2. Password cracking or guessing may be performed on a periodic or random basis by the CoMIT Team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with the Password Construction Guidelines.
    3. Password protection
      1. Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, confidential City of Melrose information.
      2. Initial passwords, once created for a new employee or an employee getting new access, will be shared with the user’s supervisor in order to get the employee access. CoMIT will require these initial passwords to be changed upon the first login so that access cannot be obtained by anyone but the new user.
      3. Passwords must not be inserted into email messages, IT Help Desk cases or other forms of electronic communication, nor revealed over the phone to anyone (CoMIT may relay initial passwords in this manner).
      4. Passwords may be stored only in “password managers” authorized by the organization. This means that you should never store passwords in a document/spreadsheet or note.
      5. Do not use the "Remember Password" feature of applications (for example, web browsers) unless the password feature holds passwords in an encrypted database
      6. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords
      7. Passwords should never be written down on paper and stored where someone could get access. Never write a password down on a sticky note and post it to your monitor or under your keyboard. Any passwords found this way will have access terminated for that user until the password has been changed
      8. Always logout of your computer or lock your screen when you walk away from your computer
      9. Never let others watch you type your password
      10. Never use an unsecured wireless network. Malicious attackers can use the connection to steal your data, passwords, social security number, credit card and/or financial information.
      11. When using wireless networks such as a Hot Spot or a restaurant or store, avoid any actions that require a username and password
      12. Always use some measure of security for gaining access to your phone. Most major browsers save passwords and distribute them to the browser you use on your phone. Malicious users can gain access to your bank accounts, credit card info and info you have saved on the phone. Attackers can also gain access to City information this way.
      13. Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work related accounts but personal accounts as well.

1Work accounts that are intentionally set up to use the same authenticating credentials across platforms such as a Computer login and Munis login are an exception to this rule.

  1.  Policy Adherence, Verification & Compliance
    1. Compliance measurement - The CoMIT team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, business tool reports, and internal and external audits.
    2. Exceptions - Any exception to the policy must be approved by the CoMIT Team in advance.
    3. Non-compliance - “Failure to follow the provisions of this policy may result in discipline ranging from counseling to termination of employment, and may include other forms of disciplinary action as deemed appropriate under the circumstances by your supervisor.”