Cast Password Policy
Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that is used or managed by Cast.
User password management
The allocation of passwords shall be controlled through a formal management process. Users must follow good security practices when choosing and handling passwords. Passwords to Information Processing Facilities must comply with the complex password policy rules. It is the employeeβs responsibility to create passwords that comply with the following rules unless something else is enforced by the system.
The password
- shall not be equal to or close to the past seven passwords used
- shall not contain the accounts own account name or display name
- shall not consist of readily identifiable personal data (e.g. license plate numbers, names of family members/pets, date of birth, home address etc.)
- shall not contain a consecutive string of three or more repeated characters
- shall include a minimum of 10 characters if possible
- shall include a minimum of three out of these four elements:
- Uppercase characters of European languages (A through Z)
- Lowercase characters of European languages (a through z)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters: ~!@#$%^&*()_-+=`|{}[]:;ββ<>,.?/
Access by Users to Castβs systems must be subject to strong password standards. The standards shall be relevant to the applicable distribution models for UserIDs, and shall be documented. Parameters to be considered shall include:
- Minimum Passwords Length
- Password Complexity Requirements
- First logon password change required
- Password change frequency
- Failed Logon attempts account lockout
- Password reset capability
- Password Change Requirements
- Password Change History
All user sessions relating to password entry shall use an encrypted protocol to protect the password in transit, and user passwords must be stored using a strong one-way irreversible hash (e.g. random salted and encrypted using a strong one-way hashing algorithm).
Any other internet facing sites operated by or on behalf of Cast, where passwords and / or userIDs are being used, must ensure that all transfer of such information is encrypted, and that the storage of such credentials is properly secured against unauthorized access and use.
This document was last updated on 03/10/2024.