Password Policy

Password Policy

Purpose#

The purpose of this policy is to set the minimum standards for password creation and management. It also informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding password management for all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.

Scope#

Password management as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team will verify compliance to this document through business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment. Systems and accounts that violate this policy may be removed from the DefectDojo network, disabled, or suspended until compliance is restored.

Continual Improvement#

This document is updated and reviewed as part of the continual improvement process.

Requirements#

Overview#

Passwords protect DefectDojo information systems and resources from unauthorized access. Proper password creation and management are essential to reduce risks, alongside Multi-Factor Authentication (MFA) as defined in the Access Control Policy.

Roles and Responsibilities#

• Strong passwords must be used and responsibly managed.
• System developers must store and transmit password data securely and use secure authentication methods.

DefectDojo Staff Requirements#

Password Storage#

• Memorize passwords and never record them with corresponding account information.
• Do not save passwords in unencrypted applications.

Password Manager#

• Use the DefectDojo corporate Password Manager (BitWarden) when SSO integration is not available.

Password Composition#

• Avoid using well-known or publicly posted identification information (names, usernames, IDs).

Password Reuse#

• Do not reuse DefectDojo passwords for non-DefectDojo accounts.

Password Sharing and Transfer#

• Do not share passwords. Exceptions require formal approval via the Security Operations Service Portal.
• If passwords must be written down temporarily, destroy the record after memorization.
• When sharing orally, ensure no unauthorized parties can overhear.

Security and Technology Services#

The Security Operations team enforces this policy and may set specific password standards for systems and accounts.

System Owner and Data Custodian Requirements#

System Owners and Data Custodians must implement, review, and monitor internal password policies.

General Password Requirements#

• No generic or shared passwords.
• Passwords must not be displayed during entry.
• Passwords must not be hard-coded in scripts or code.

Require Authentication to Login#

• Systems must require a password or approved authentication for login.

Initial and Default Password Changes#

• Initial and vendor-supplied passwords must require immediate change upon first use.

Password History and Reuse#

• Users cannot reuse the last five passwords.

Password Complexity#

• Minimum of 12 characters; disallow passwords from previous breaches, dictionary words, repetitive/sequential characters, and service/username-specific terms.
• Contractual requirements may dictate additional complexity.
• Passwords expire every 90 days.

Electronic Transmission#

• Passwords must be encrypted when transmitted over networks.

Account Lockout after Authentication Failures#

• Lock accounts after five consecutive invalid login attempts.

Logging#

• Implement logging for successful and failed login attempts.

Possible Password Length#

• Systems must support at least 32-character passwords.

Changing Password after Compromise or Disclosure#

• Promptly reset passwords if compromised or disclosed to unauthorized parties.

Not Storing Passwords in Applications#

• Applications must avoid storing passwords; if unavoidable, passwords must not be stored in plaintext.

Unique User Accounts and Passwords#

• Applications must support unique accounts so users do not share passwords.

Use DefectDojo ID and Password Whenever Possible#

• Use DefectDojo user identity and password instead of creating separate IDs.

Administrative and Privileged Account Password and Lockout Requirements#

• Minimum 15-character alphanumeric password including uppercase, lowercase, and special characters.
• Unlocking occurs only via service tool/portal.

Administrative and Privileged Account Management Use Requirements#

• Privileged accounts are not for day-to-day use; regular accounts should be used.
• Credentials stored in DefectDojo Password Vault (BitWarden) and access restricted to authorized personnel.
• Usage must be documented, ideally via a check-in/check-out process.

Service Account Requirements#

• Minimum 30-character alphanumeric password with uppercase, lowercase, and special character.
• Passwords expire at least annually.
• Every service account must have an identified owner.

Relevant Documents#

• Access Control Policy
• Exceptions Policy