Password Management Process
- Jan Tenenberg
- David Fisher (Unlicensed)
Vertic manages a range of passwords which require complex generation, secure storage and controlled access. Our chosen digital platform for managing passwords is BitWarden (http://www.bitwarden.com ) which allows for the secure sharing of passwords across teams.
Passwords must be generated using BitWarden and adhere to the following structure:
PARAMETER | VALUE |
Minimum length | 8 |
Maximum length | 64 |
Re-use cycle | Cannot be the same as any of the previous 32 passwords |
Characters Required | At least one upper-case letter At least one lower-case letter At least one symbol At least one number |
Password similarity | New password cannot share more than three characters in the same position as the old password |
Change Frequency | No forced expiry / at least every X days |
Account lockout | On five incorrect logon attempts |
Account lockout action | Account must be re-enabled by [IT Service Desk] |
Other controls | Password cannot contain the username Password must not be on a list of common passwords e.g. Password1 |
Each employee and direct contact will have their own login to this platform and will have access only the passwords relevant to their work requirements. At regular intervals, passwords will be renewed in accordance with Salesforce’s user password policies. The following people will have administration access to our selected password management platform:
Jan Tenenberg
Stephen Kent
Matt Romeo
David Fisher (Bitwarden Administrator)
All other resources are registered as users only with limited access rights. Further information on our access policies can be found here.
Ongoing Password Management Process
To minimise the risk of password exposure, Salesforce enforces a password expiry every 30 days. Each employee is required to change their user’s credentials to a new and unique password, as Salesforce tracks the history of the past 3 passwords used by the user.
Using BitWarden, employees generate a unique 14-digit password that they use to log into Salesforce with. Each employee is also able to see whether their existing password has been exposed in any data breaches, and if so, is immediately required to change their Salesforce login credentials.
