Versions Compared

Version Old Version 4 New Version 5
Changes made by

Rasodin Ramuddin Hamzah

Rasodin Ramuddin Hamzah

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Scope:
This policy covers all user, application, system, and network level passwords, including those for web-applications and servers. However, it the implementation of this policy is subject to the capabilities of each system /and application capability.

Effective Date:
1st January 2025

...

  1. Responsibility and Accountability:

    • All individuals with access to the Company's systems must select strong, secure passwords and are responsible for keeping their passwords confidential.

  2. Prohibited Use of Passwords:

    • Passwords must not be shared through non-secure channels, including but not limited to email, social media, and other forms of electronic communication not explicitly approved for secure information exchange.

  3. Password Strength and Complexity:

    • Passwords must be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Passwords must not contain personal information, common dictionary words, or easily guessable sequences.

  4. Initial Password Use and Change:

    • Default passwords for new accounts must be unique and complex. Users are required to change their password upon the first login to ensure initial account security. Please click here to learn about changing APKey password.

  5. Password Expiry and History:

    • Passwords must be changed at least every 365 days. The system will remember the last 4 passwords, and they cannot be reused.

  6. Frequency of Password Changes:

    • Users are encouraged to change their passwords more frequently if any suspicion of compromise arises. Mandatory password changes are required after any security incident.

  7. Account Lockout Policy:

    • Accounts will be locked after five consecutive failed login attempts and will remain locked for 30 15 minutes to prevent unauthorized access through brute force attacks.

    • The account lockout counter will reset only after the account lockout duration period as mentioned above has elapsed.

  8. Secure Password Storage:

    • Passwords must be stored securely using salted hashes to prevent unauthorized retrieval and decryption. Clear text storage of passwords is strictly prohibited.

  9. Protection of Authentication Credentials:

    • Users must protect their passwords, PINs, security tokens, and other authentication methods. The use of password managers is recommended for secure password storage.

  10. Password Reset:

    • Users are permitted to reset their passwords whenever necessary, especially if a compromise is suspected.

  11. Web-Based Application Authentication:

    • All web-based applications must implement a secure authentication layer, with multi-factor authentication (MFA) strongly recommended for enhanced security.

  12. Unattended Sessions:

    • Workstations must be configured to automatically lock after 30 minutes of inactivity to prevent unauthorized access.

...