Login

New user? Create an account
Forgot your password? Get it back!

Signup

Already a member? Login

2FA

2-Factor Authentication is enabled for this account
Login with a different user

Email Confirmation

Send confirmation email to the following
Login with a different user
Password Policy
Last updated: 29 December 2023

Policy Statement
All users of Samaritan are responsible for safeguarding their system access login and password credentials, and must comply with the password parameters and standards identified in this policy. Passwords must not be shared with or made available to anyone in any manner that is not consistent with this policy and procedure. Any capitalized term used and not otherwise defined herein has the meaning assigned to it in the Privacy Policy.

Reason for Policy
Assigning unique user logins and requiring password protection is one of several primary safeguards employed to restrict access to the Samaritan network and the data stored within it to only authorized users. If a password is compromised, access to information and systems can be obtained by an unauthorized individual, either inadvertently or maliciously. Individuals with logins are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy in order to ensure passwords are kept confidential and are designed to be complex and difficult to breach. The parameters in this policy are designed to comply with industry, legal, and regulatory standards.

Entities Affected by this Policy
All Samaritan Users, customers of Samaritan Users, and employees of Lucus Labs, whether system or application admins.

Who Should Read this Policy
All individuals provided with a login for accessing Samaritan.

1. Individual Responsibilities
Individuals are responsible for keeping passwords secure and confidential. As such, the following principles must be adhered to for creating and safeguarding passwords:

  • Passwords must never be shared with another individual for any reason or in any manner not consistent with this policy.
  • Employees, including system admins, sales reps, or other Samaritan or Lucus Labs individuals, will never ask anyone for their password. If you are asked to provide your password to an individual or sign into a system and provide access to someone else under your login, you are obligated to report this to Samaritan Security using one of the methods outlined in the Procedures section below.
  • Passwords must never be written down and left in a location easily accessible or visible to others. This includes both paper and digital formats on untagged (unsupported) devices. Passwords may be stored in a secure password manager, such as LastPass, as long as the master password is kept private and meets the requirements in Section 3 - Password Requirements herein.
  • Individuals must never leave themselves logged into an application or system where someone else can unknowingly use their account.
  • In the event a password needs to be issued to a remote user or service provider, the password must be sent with proper safeguards (e.g., shared via a secure password manager or sent via an encrypted messaging system).
  • If a password needs to be shared for servicing, Samaritan Security should be contacted for authorization and appropriate instruction.
  • Passwords must be unique and different from passwords used for other personal services (e.g., banking, social media, email, etc).
  • Passwords must meet the requirements outlined in this policy.
  • Passwords must be changed at the regularly scheduled time interval (as defined in Section 4 - Password Expiration herein, where applicable) or upon suspicion or confirmation of a compromise.
  • Individuals with access to service accounts (such as those used for integrations with Samaritan's APIs) or test accounts must ensure the account password complies with this policy and must keep the password stored in a secure password manager.
  • In the event of a breach or compromise is suspected, the incident must be reported to Samaritan Security immediately using one of the methods outlined in the Procedures section below.
2. Responsibilities of Systems Processing Passwords
All Samaritan systems - including servers, applications, and websites that are hosted by or for Lucus Labs, must be designed to accept passwords and transmit them with proper safeguards.

  • Passwords must never be stored in clear, readable format (encryption must always be used).
  • Passwords must never be stored as part of a login script, program, or automated process.
  • Systems storing or providing access to confidential data or remote access must be secured with multi-factor authentication.
  • Password hashes (irreversible encoded values) must never be accessible to unauthorized individuals.
  • Where possible, salted hashes (irreversible encoded values with added randomness) should be used for password encryption.
  • Where any of the above items are not supported, a variance request should be submitted to Samaritan Security for review. Appropriate authorizations and access control methods must be implemented to ensure only a limited number of authorized individuals have access to readable passwords.
3. Password Requirements
The following parameters indicate the minimum requirements for passwords for all individual accounts where passwords are:

  • At least ten (10) characters;
  • Contain at least 1 upper case letter;
  • Contain at least 1 lower case letter;
  • Contain at least 1 number;
  • Contain at least 1 special character (e.g., !@#$%^&*-_+=);
  • Not be the same as any of the user's last four (4) passwords used for accessing Samaritan;
  • Not based on anything somebody else could easily guess or obtain using person-related information (e.g., names, telephone numbers, dates of birth, etc);
  • Not vulnerable to a dictionary attack (see Section 7 - Recommendations for Creating Compliant Passwords);
4. Password Expiration
All users of Samaritan, whether employed by Samaritan or Lucus Labs or not, must adhere to regular password changes and rules as defined below. Samaritan Security reserves the right to reset a user's password in the event a compromise is suspected, reported, or confirmed. This helps prevent an attacker from making use of a password that may have been discovered or otherwise disclosed.

  • Passwords must be changed upon suspicion or confirmation of compromise.
  • New passwords must comply with the criteria in Section 3 - Password Requirements.
  • Passwords that are not service accounts must be changed every ninety (90) days.
  • Passwords should not be changed more than one (1) time per day.
  • At least four (4) characters must be changed when new passwords are created.
  • New passwords must comply with the criteria defined in Section 3 - Password Requirements.
Service Accounts and Test Accounts
Service accounts are accounts used by a system, task, process, or integration for a specific purpose. Test accounts are accounts used on a temporary basis to imitate a role, person, or training session. Passwords for service accounts and test accounts must be securely generated in accordance with this policy, distributed securely to the account owner, and stored securely in a password manager.

  • Passwords must be changed upon suspicion or confirmation of compromise.
  • Passwords must be changed when an account owner leaves the institution or transfers into a new role.
  • Passwords must comply with the criteria in Section 3 - Password Requirements.
5. Account Lockout
In order to limit attempts at guessing passwords or compromising accounts, an account lockout policy is in effect for all systems.

  • Accounts will lockout after three (3) invalid password attempts.
  • Accounts will remain locked until a company admin or a Samaritan admin unlocks the account.
  • User sessions that have been idle for fifteen (15) minutes will be reset, requiring the user to re-log into their account.
6. Mobile Devices
Mobile devices accessing, storing, or transmitting Samaritan data, such as smartphones and tablets, shall be registered with Samaritan and managed by the mobile device management (MDM) platform. Mobile devices are required to comply with the criteria in Section 3 - Password Requirements.

Biometric authentication (e.g., facial or fingerprint recognition) on mobile devices may be used to unlock the device, but a compliant password must still be established.

In certain situations, some device manufacturers may automatically impose time limitations after several unsuccessful password attempts before erasing the mobile device (such as after ten (10) invalid password attempts).

7. Recommendations for Creating Compliant Passwords
In order to create a password that is compliant with the parameters specified in this policy, use one of the methods outlined below.

7.1 Use a Passphrase
A passphrase is similar to a password, but is generally longer and contains a sequence of words or other text to make the passphrase more memorable. A longer passphrase that is combined with a variety of character types is exponentially harder to breach than a shorter password. However, it is important to note that passphrases that are based on commonly referenced quotes, lyrics, or other sayings are easily guessable. While passphrases should not be famous quotes or phrases, they should also not be unique to you as this may make them more susceptible to compromise or password-guessing attacks.

  • Choose a sentence, phrase, or a series of random, disjointed, and unrelated words.
  • Use a phrase that is easy to remember. Examples:
    • Password: When I was 15, I learned to play the guitar.
    • Password: I've owned 3 red cars.
    • Password: Snorkel frisbee 5-iron 3-wood!
7.2 Use a Secret Code
A secret code can be used in conjunction with the previous methods simply by substituting letters for other numbers or symbols. Combining these methods will make it easy to incorporate the four character types in order to meet the password complexity requirements.

  • Use a phrase that is easy to remember.
  • Capitalize the first letter of every word.
  • Substitute letters for numbers or symbols.
  • Incorporate spaces or substitute with a different character (such as |, +, -, _, *, etc). Examples:
    • Phrase: "When I Was 5, I Learned How 2 Ride A Bike."
    • Password: WhenIwa$5,Ilh0wt0rab1k3.
8. Password Reset Options
You can change or reset your password in the Settings section of Samaritan by first logging into the system, then clicking the gear icon in the bottom-left corner, and clicking "Update Password" at the bottom-left. You will be required to re-enter your current password before updating it to a new password. If you have forgotten your password, you can contact your company admin or Samaritan Support where you'll be required to authenticate your identity by other means (e.g, by providing your name and email address). You can also request your password to be reset by going to https://symbient.ai/lostpassword and following the instructions.

9. Reporting a Suspected Compromise or Breach
If you believe your password has been compromised, or if you have been asked to provide your password to another individual, including Samaritan Support or other, promptly notify any of the following support teams:


You can also notify us from our website at https://symbient.ai/#contact

Filing or reporting a security incident can always be done without fear or concern for retaliation.