Password Policy

Password Management (Policy No: 2) 

  1. Overview 

Passwords are an important aspect of computer security. They are the front line of protecting user accounts. A poorly chosen password may result in a compromise of the City of Brunswick (COB) entire network. As such, all COB employees (including contractors and vendors access to City of Brunswick systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their password. 

  1. Purpose 

This policy provides guidelines for consistent and secure management of passwords for employees, systems, and service accounts. These guidelines include mandates on how passwords should be generated, used, stored, deleted, and changed. 

  1. Scope 

This policy's scope includes all personnel responsible for an account (or any form of access that supports or requires a password) on any system that resides at any COB network and/or server locations. 

  1. Policy 

               4.1. General  

  • All system-level passwords (e.g., root, enable, network administrator, application administration accounts, etc..) must be changed at least every 180 days. 
  • All user-level passwords (e.g., email, web, desktop computer, accounts, etc.) must be changed at least 90 days and cannot reuse the past 10 passwords. 
  • Passwords must not be inserted into email messages or other forms of electronic communication. 
  • All system-level and user-level passwords must conform to the guidelines described below. 

4.2. Guidelines 

Password Construction Requirements 

  • Be a minimum length of eight (8) or more characters on all systems. 
  • Not be the same as the User ID. 
  • Expire within a maximum of 90 calendar days. 
  • Not be identical to the previous ten (10) passwords. 
  • Not to be transmitted in the clear or plaintext outside the secure location/area. 
  • Not be displayed when entered. 
  • Ensure passwords are only reset by authorized user(s). 
  • Password must have upper case, lower case, numbers, and special characters included. 

4.3. Password Deletion 

All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following: 

  • When a user retires, quits, is reassigned, released, dismissed, etc. 
  • Default passwords shall be changed immediately on all equipment. 
  • Contractors/vendor accounts, when no longer needed to perform their duties. 

When a password is no longer needed, the following procedures should be followed: 

  • Employees should notify his or her immediate supervisor. 
  • Contractor(s)/vendor(s) should inform his or her point-of-contact (POC). 
  • Supervisor/POC should contact the IT Department Supervisor/Manager/Team of City of Brunswick. They will then delete the user’s password and delete or suspend the user’s account. 

4.4.  Password Protection Standards 

Do not use your User ID as your password. Do not share COB passwords with anyone, including administrative assistants, secretaries, co-workers, etc. All passwords are to be treated as sensitive, confidential COB information. 

Here is a list of “do nots.” 

  • Don’t reveal a password over the phone to anyone. 
  • Don’t reveal a password in a mail message. 
  • Don’t reveal a password to co-workers. 
  • Don’t talk about passwords in front of others. 
  • Don’t hint at the format of a password (e.g., “my family name”) 
  • Don’t reveal a password on questionaries or security forms. 
  • Don’t share a password with family members. 
  • Don’t reveal a password to a co-worker while on vacation. 
  • Don’t use the ‘Remember Password” feature of applications. 
  • Don’t write down passwords and store them anywhere in your office. 
  • Don’t store passwords in a file on ANY computer system unencrypted. 
  • Passwords must not be stored on paper, or in an electronic file, hand-held device, or browser, unless they can be stored securely and the method of storing (e.g., password vault) has been approved by the ISO/designated security representative. 

If someone demands a password, refer them to this document or have them call COB IT Department: (912)-267-5535. 

If an account or password is suspected to have been compromised, report the incident to the COB IT Department: (912)-267-5535. 

  1.  Penalties 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment in accordance with the Assistant City Manager and HR Manager.  

4.6. History 

Initial Draft – April, 2024 

Approved - 

The COB reserves the right to update or modify the above terms at any time without prior notice. The use of the services following any such update or modification constitutes the user’s agreement to follow and be bound by these terms as modified. For this reason, we encourage users to review this policy. 

Print Article