Skip to main content
Password Policy

Guidance for creating strong passwords & details on the protection of those passwords

Lauren Rolfe avatar
Written by Lauren Rolfe
Updated over a week ago


The purpose of this policy is to define the requirements for creating strong passwords, the protection of those passwords and the frequency of change. Usernames (for identification) used in combination with passwords (for authentication) are countermeasures for preventing unauthorised users from accessing sensitive information/facilities and for maintaining audit trails to facilitate accountability.


The scope of this policy applies to all personnel who have been given access to a WeThrive account, including employees, managers, and administrators.


  • Passwords must never be shared.

  • All default passwords must be changed immediately. Users must create their own password from the first time they are granted access.

  • Passwords must never appear in plain text on computer screens, written down on paper (e.g., yellow stickers), or stored on a location for fast access (e.g., Slack, Outlook etc.).

  • Passwords are stored in an encrypted format by WeThrive.

  • Usernames and passwords must not be scripted to enable automatic login.

  • Passwords should not be stored in browsers.

  • Individuals must make use of strong passwords that use a combination of upper/lowercase letters, numbers, and symbols, and have in mind that the longer they are in length, the more time it takes to an intruder to guess them.

  • A password history will be maintained to ensure that the new password will not be the same as any of the previous twenty-four (24) that have been used.

  • System configuration settings are set to require that system/session idle time out features have been set to a period of fifteen (15) minutes.

  • Employees must verify a user’s identity before performing any password resets.

  • Accounts must be locked for at least thirty (30) minutes or require a WeThrive employee to unlock them after 10 failed login attempts.

  • Access for terminated users must be revoked immediately.

  • Inactive user accounts must be removed or disabled at least every three months.

  • Any accounts used by vendors for remote support or maintenance must be enabled only during the period needed and then are disabled.

  • Passwords should be stored in a password manager.

  • All system level passwords e.g., root, admin accounts, must be changed frequently - at least every 90 days.

  • If an account or password is suspected to have been compromised, the password should be changed immediately.

Mandatory requirements


  • Each user must be assigned a unique and personal username.

  • Usernames must be logged by WeThrive when accessing a system’s resources.

  • Usernames must not be available for selection at the log-on screen of any information system. Additionally, usernames used for accessing an information system by a user must not be displayed or, where possible, be available to another user.


The following password formation shall meet the following complexity requirements:

  • The password must be no less than twelve (12) characters.

  • The password must contain characters from at least three of the following four categories:

    • Uppercase characters (A-Z).

    • Lowercase characters (a-z).

    • Base 10 digits (0-9).

    • Non-alphanumeric (i.e. !,%,@ etc.).

  • The password must be a non-dictionary word.

  • The password must not be based on family names, friends, pets etc.

  • It is strongly recommended to use passphrases. A pass phrase is a sequence of words that provide a bigger entropy in terms of guessing a password. A good passphrase example: I love to play squash becomes IL0ve2Play$qua£h.

Did this answer your question?