Password Management Policy

1. Purpose

To define requirements for the creation, management, and protection of passwords used to access Synthetic Users systems and data, ensuring account security and reducing the risk of unauthorized access.

2. Scope

This policy applies to all employees, contractors, and third-party users who access Synthetic Users systems, applications, and data, including environments such as Heroku, AWS, GitHub, Notion, and Intercom.

3. Policy Overview

Synthetic Users primarily uses Single Sign-On (SSO) integrated with Multi-Factor Authentication (MFA) to manage user access. Password use is limited to systems that do not support SSO.

4. Password Creation and Management Requirements

• Passwords must contain a minimum of 12 characters, including a mix of uppercase, lowercase, numbers, and special characters.

• Passwords must not be reused across different systems or accounts.

• Passwords must not contain easily guessable information, such as names, birthdays, or company-related words.

• When passwords are required, they must be stored and managed in a company-approved password manager (e.g., 1Password or Bitwarden).

• System-enforced password rotation is set to every 12 months for non-SSO accounts or when a security incident is suspected.

5. Multi-Factor Authentication (MFA)

• MFA is mandatory for all accounts that support it.

• MFA must be enabled via a secure second factor, such as an authenticator app or hardware token.

6. Password Sharing and Confidentiality

• Passwords must never be shared, written down, or transmitted in plain text.

• Shared system accounts are prohibited unless technically required and approved by management. In such cases, credentials must be stored securely and changed immediately after use.

7. Compromise and Incident Response

• Users must immediately report any suspected password compromise or unauthorized account activity to IT administration.

• Compromised passwords must be changed immediately across all affected systems.

8. Enforcement and Review

• Violations of this policy may result in disciplinary action.

• This policy will be reviewed annually and updated as needed to align with evolving security best practices.

Implementation Tips

• Password Manager: Use a single, approved password manager to enforce complexity and sharing rules.

• SSO-First: Default all system access to SSO and deprecate local passwords wherever possible.

• Security Training: Remind staff quarterly about password hygiene and phishing awareness.