Password Policy

South Weymouth Church of the Nazarene Password Policy

Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of South Weymouth Church of the Nazarene's resources. All users, including contractors and vendors with access to South Weymouth Church of the Nazarene’s systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any South Weymouth Church of the Nazarene facility or has access to the South Weymouth Church of the Nazarene network.

Policy

All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least 180 days or in the case of an employee that leaves.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 180 days or 6 months.
User accounts that have system-level privileges granted through group memberships or programs must have a unique 12 character password from all other accounts held by that user.
All user-level and system-level passwords must conform to the guidelines described below.

Guidelines

General Password Construction Guidelines

All users at South Weymouth Church of the Nazarene should be aware of how to select strong passwords.

Strong passwords have the following characteristics:

Contain at least three of the five following character classes:
Lower case characters o Upper case characters
Numbers
Punctuation
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)
Contain at least nine alphanumeric characters.

Weak passwords have the following characteristics:

The password contains less than twelve characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:
Names of family, pets, friends, co-workers, fantasy characters, etc.
Computer terms and names, commands, sites, companies, hardware, software.
The words "SWN", "sanjose", "sanfran", "PraiseGod" or any derivation.
Birthdays and other personal information such as addresses and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (NOTE: Do not use either of these examples as passwords!)

B. Password Protection Standards

Always use different passwords for South Weymouth Church of the Nazarene accounts from other Non-South Weymouth Church of the Nazarene access (e.g., personal ISP account, option trading, benefits, And Bank accounts etc.).
Do not share South Weymouth Church of the Nazarene passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential South Weymouth Church of the Nazarene information.
Passwords should never be written down or stored on-line without encryption.
Do not reveal a password in email, chat, or other electronic communication.
Do not speak about a password in front of others.
Do not hint at the format of a password (e.g., "my family name")
Do not reveal a password on questionnaires or security forms
If someone demands a password, refer them to this document and direct them to a Technology Staff member.
Always decline the use of the "Remember Password" feature of applications (e.g., Facebook, Outlook, AOL IM, I/E, Firefox, Chrome).
If an account is compromised (spam, hacked) Technology Staff will take action starting with changing the password. The user will be informed and required to come to see a Technology Staff member to reset the password and consult on what can be done to avoid it from happening again.

C. Password administration

Failed login attempts may be recorded and reviewed for follow-up action.
Users will be locked out of the system after 3 failed login attempts and must contact the help desk for access resetting. Manager approval may be required to fulfill a password reset request.
Access privileges will be reviewed prior to granting access based on factors including job title and function (role-based access) or the individual (user-based access).

User IDs, passwords or email accounts are not to be transferred to another individual.
New accounts may be obtained by calling the IT help desk. Management approval is required before any account can be created.

D. Noncompliance with this policy

South Weymouth Church of the Nazarene employees and authorized contractors who do not comply with this policy and the procedures that may be developed from it are subject to possible disciplinary measures as may be determined by South Weymouth Church of the Nazarene’s general counsel and/or human resources.

If an account or password compromise is suspected, report the incident to a Technology Staff member immediately.

1.0 Revision History

Technology – February 2024