Policy Statement
All users of S:AI - Password Policy are responsible for safeguarding their system access login and
password credentials, and must comply with the password parameters and standards identified
in this policy. Passwords must not be shared with or made available to anyone in any manner
that is not consistent with this policy and procedure. Any capitalized term used and not
otherwise defined herein has the meaning assigned to it in the
Privacy Policy.
Reason for Policy
Assigning unique user logins and requiring password protection is one of several primary safeguards
employed to restrict access to the S:AI - Password Policy network and the data stored within it to only authorized
users. If a password is compromised, access to information and systems can be obtained by an unauthorized
individual, either inadvertently or maliciously. Individuals with logins are responsible for safeguarding
against unauthorized access to their account, and as such, must conform to this policy in order to ensure
passwords are kept confidential and are designed to be complex and difficult to breach. The parameters in
this policy are designed to comply with industry, legal, and regulatory standards.
Entities Affected by this Policy
All S:AI - Password Policy Users, customers of S:AI - Password Policy Users, and employees of Lucus Labs, whether system or application admins.
Who Should Read this Policy
All individuals provided with a login for accessing S:AI - Password Policy.
1. Individual Responsibilities
Individuals are responsible for keeping passwords secure and confidential. As such, the following
principles must be adhered to for creating and safeguarding passwords:
-
Passwords must never be shared with another individual for any reason or in any manner not consistent
with this policy.
-
Employees, including system admins, sales reps, or other S:AI - Password Policy or Lucus Labs individuals, will never
ask anyone for their password. If you are asked to provide your password to an individual or sign
into a system and provide access to someone else under your login, you are obligated to report this to
S:AI - Password Policy Security using one of the methods outlined in the Procedures section below.
-
Passwords must never be written down and left in a location easily accessible or visible to others. This
includes both paper and digital formats on untagged (unsupported) devices. Passwords may be stored in a
secure password manager, such as LastPass, as long as the master password is kept private and meets the
requirements in Section 3 - Password Requirements herein.
-
Individuals must never leave themselves logged into an application or system where someone else can
unknowingly use their account.
-
In the event a password needs to be issued to a remote user or service provider, the password must be
sent with proper safeguards (e.g., shared via a secure password manager or sent via an encrypted messaging
system).
-
If a password needs to be shared for servicing, S:AI - Password Policy Security should be contacted for authorization
and appropriate instruction.
-
Passwords must be unique and different from passwords used for other personal services (e.g., banking,
social media, email, etc).
-
Passwords must meet the requirements outlined in this policy.
-
Passwords must be changed at the regularly scheduled time interval (as defined in Section 4 - Password
Expiration herein, where applicable) or upon suspicion or confirmation of a compromise.
-
Individuals with access to service accounts (such as those used for integrations with S:AI - Password Policy's APIs) or
test accounts must ensure the account password complies with this policy and must keep the password stored
in a secure password manager.
-
In the event of a breach or compromise is suspected, the incident must be reported to S:AI - Password Policy Security
immediately using one of the methods outlined in the Procedures section below.
2. Responsibilities of Systems Processing Passwords
All S:AI - Password Policy systems - including servers, applications, and websites that are hosted by or for Lucus Labs,
must be designed to accept passwords and transmit them with proper safeguards.
-
Passwords must never be stored in clear, readable format (encryption must always be used).
-
Passwords must never be stored as part of a login script, program, or automated process.
-
Systems storing or providing access to confidential data or remote access must be secured with multi-factor
authentication.
-
Password hashes (irreversible encoded values) must never be accessible to unauthorized individuals.
-
Where possible, salted hashes (irreversible encoded values with added randomness) should be used for
password encryption.
-
Where any of the above items are not supported, a variance request should be submitted to S:AI - Password Policy
Security for review. Appropriate authorizations and access control methods must be implemented to
ensure only a limited number of authorized individuals have access to readable passwords.
3. Password Requirements
The following parameters indicate the minimum requirements for passwords for all individual accounts where
passwords are:
-
At least ten (10) characters;
-
Contain at least 1 upper case letter;
-
Contain at least 1 lower case letter;
-
Contain at least 1 number;
-
Contain at least 1 special character (e.g., !@#$%^&*-_+=);
-
Not be the same as any of the user's last four (4) passwords used for accessing S:AI - Password Policy;
-
Not based on anything somebody else could easily guess or obtain using person-related information
(e.g., names, telephone numbers, dates of birth, etc);
-
Not vulnerable to a dictionary attack (see Section 7 - Recommendations for Creating Compliant Passwords);
4. Password Expiration
All users of S:AI - Password Policy, whether employed by S:AI - Password Policy or Lucus Labs or not, must adhere to regular password changes
and rules as defined below. S:AI - Password Policy Security reserves the right to reset a user's password in the event a
compromise is suspected, reported, or confirmed. This helps prevent an attacker from making use of a password
that may have been discovered or otherwise disclosed.
-
Passwords must be changed upon suspicion or confirmation of compromise.
-
New passwords must comply with the criteria in Section 3 - Password Requirements.
-
Passwords that are not service accounts must be changed every ninety (90) days.
-
Passwords should not be changed more than one (1) time per day.
-
At least four (4) characters must be changed when new passwords are created.
-
New passwords must comply with the criteria defined in Section 3 - Password Requirements.
Service Accounts and Test Accounts
Service accounts are accounts used by a system, task, process, or integration for a specific purpose. Test
accounts are accounts used on a temporary basis to imitate a role, person, or training session. Passwords
for service accounts and test accounts must be securely generated in accordance with this policy, distributed
securely to the account owner, and stored securely in a password manager.
-
Passwords must be changed upon suspicion or confirmation of compromise.
-
Passwords must be changed when an account owner leaves the institution or transfers into a new role.
-
Passwords must comply with the criteria in Section 3 - Password Requirements.
5. Account Lockout
In order to limit attempts at guessing passwords or compromising accounts, an account lockout policy is in
effect for all systems.
-
Accounts will lockout after three (3) invalid password attempts.
-
Accounts will remain locked until a company admin or a S:AI - Password Policy admin unlocks the account.
-
User sessions that have been idle for fifteen (15) minutes will be reset, requiring the user to re-log
into their account.
6. Mobile Devices
Mobile devices accessing, storing, or transmitting S:AI - Password Policy data, such as smartphones and tablets, shall be
registered with S:AI - Password Policy and managed by the mobile device management (MDM) platform. Mobile devices are required
to comply with the criteria in Section 3 - Password Requirements.
Biometric authentication (e.g., facial or fingerprint recognition) on mobile devices may be used to unlock the
device, but a compliant password must still be established.
In certain situations, some device manufacturers may automatically impose time limitations after several unsuccessful
password attempts before erasing the mobile device (such as after ten (10) invalid password attempts).
7. Recommendations for Creating Compliant Passwords
In order to create a password that is compliant with the parameters specified in this policy, use one of the methods
outlined below.
7.1 Use a Passphrase
A passphrase is similar to a password, but is generally longer and contains a sequence of words or other text to make
the passphrase more memorable. A longer passphrase that is combined with a variety of character types is exponentially
harder to breach than a shorter password. However, it is important to note that passphrases that are based on commonly
referenced quotes, lyrics, or other sayings are easily guessable. While passphrases should not be famous quotes or phrases,
they should also not be unique to you as this may make them more susceptible to compromise or password-guessing attacks.
-
Choose a sentence, phrase, or a series of random, disjointed, and unrelated words.
-
Use a phrase that is easy to remember. Examples:
-
Password: When I was 15, I learned to play the guitar.
-
Password: I've owned 3 red cars.
-
Password: Snorkel frisbee 5-iron 3-wood!
7.2 Use a Secret Code
A secret code can be used in conjunction with the previous methods simply by substituting letters for other numbers or symbols.
Combining these methods will make it easy to incorporate the four character types in order to meet the password complexity requirements.
-
Use a phrase that is easy to remember.
-
Capitalize the first letter of every word.
-
Substitute letters for numbers or symbols.
-
Incorporate spaces or substitute with a different character (such as |, +, -, _, *, etc). Examples:
-
Phrase: "When I Was 5, I Learned How 2 Ride A Bike."
-
Password: WhenIwa$5,Ilh0wt0rab1k3.
8. Password Reset Options
You can change or reset your password in the Settings section of S:AI - Password Policy by first logging into the system, then clicking the
gear icon in the bottom-left corner, and clicking "Update Password" at the bottom-left. You will be required to re-enter your
current password before updating it to a new password. If you have forgotten your password, you can contact your company
admin or S:AI - Password Policy Support where you'll be required to authenticate your identity by other means (e.g, by providing your
name and email address). You can also request your password to be reset by going to
https://symbient.ai/lostpassword and following the instructions.
9. Reporting a Suspected Compromise or Breach
If you believe your password has been compromised, or if you have been asked to provide your password to another individual,
including S:AI - Password Policy Support or other, promptly notify any of the following support teams:
-
S:AI - Password Policy Security
-
S:AI - Password Policy Support
You can also notify us from our website at
https://symbient.ai/#contact
Filing or reporting a security incident can always be done without fear or concern for retaliation.