Account and Password Policy
Upload In Progressthis article:
Policy Brief
Security is important. Hacker attacks or unintended user access to our system could may jeopardize our company and cause great financial damage. To ensure Agate’s system security, we are enforcing a few rules on account and password usage.
Notably, some of these rule will make password harder to remember. We are encouraging crews to use Agate’s internal password manager "Passbolt" to help crew manage all work-related credentials. See Passbolt Usage Policy to learn more about Passbolt.
Scope
This policy applies to all crews (full-time, temporary, and interns) and to anyone who has permanent or temporary access to our systems.
Policy Elements
TL;DR Version
- Create strong password. Password criteria:
- Length: 16 character
- Contain upper case
- Contain lower case
- Contain number
- Contain symbol
- No context or personal related content
- Use different password for different account
- Change password every 3 month
- Enable 2FA (two factor authentication) when possible
- Never use public or shared device to access our system
Password Creation
The objective here is to make sure your password is something that could not be easily guessed and brute-forced by an attacker.
-
Unique Password
Use different password for different account, especially for your email account. As email account is the primary method to reset or recover other account, you should make your email account password even more different from the rest of your passwords.
-
Length of Password
Use 16 or more characters for your password. More lengthy password take more time to brute-forced. 16 characters or more should be long enough to avoid brute-forcing from attacker up to 20 years to come.
-
Randomness of Password
- Use random character for your password.
- Do not use sequential character (such as abcd or 123) for your password.
- Avoid using common words for your password to avoid dictionary attack. When using common words, use a minimum of 5 words combination and use slang if possible.
-
Password Combination
Use a combination (at least one each) of upper case, lower case, number, and symbol for your password. Such combination will take significantly more time to brute-force. This also help to avoid attacker as they tend to try attacking the simpler combination first such as letter only, number only, etc.
-
No Context Password
- Do not use personal and identifiable things for your password such as your name, email, birthday, city, etc.
- Do not use context related word for your password. Using the words "agate", "google", "email", "gmail", "mail", "surat", etc. in your password is bad, as the attacker will try to guess your password using those words.
Password Rotation
Password rotation means changing/resetting password to a new one to make your account not accessible from old devices or old session that you may forgot to log out.
- Crew need to rotate their password every 3 months. Please do not reuse your 10 previous password when changing your password.
- When a crew move to another team/division, please reset your team/division specific credential.
- When a crew graduated, remove their credential access.
Two Factor Authentication (2FA)
Two Factor Authentication, or 2FA, is an extra layer of protection besides your password. This means if your password is compromised, 2FA will prevent the attacker from accessing your account.
When possible, always enable 2FA. We recommend using mobile phone number 2FA. Another option is Google Authenticator mobile application, but please take note that you will lose access to your 2FA if your phone is reset, broken, or stolen. If you are using app, make sure to have a backup 2FA.
Device Access
Always use your own device to access a secured account. Do NOT use public or shared device such as PC rental, lobby PC, another crew’s device, etc.
Emergency/Urgent case: If you really need to access an account from a public or shared device, please use private browsing mode. We encourage you to reset your password on your own trusted pc/devices after using public or shared device.