Password Policy
Last updated: 07 December 2023
Policy Statement
All users of Symbient Uptime are responsible for safeguarding their
system access login and password credentials and must comply with the
password parameters and standards identified in this policy. Passwords
must not be shared with or made available to anyone in any manner that
is not consistent with this policy and procedure.
Reason for Policy
Assigning unique user logins and requiring password protection is one of
several primary safeguards employed to restrict access to the Symbient
Uptime network and the data stored within it to only authorized users.
If a password is compromised, access to information and systems can be
obtained by an unauthorized individual, either inadvertently or
maliciously. Individuals with logins are responsible for safeguarding
against unauthorized access to their accounts, and as such, must conform
to this policy to ensure passwords are kept confidential and are
designed to be complex and difficult to breach.
Entities Affected By This Policy
All Symbient Uptime users, whether system admins, application merchants,
and/or customers.
Who Should Read This Policy
All individuals who are provided with a login for accessing Symbient
Uptime.
1. Individual Responsibilities
Individuals are responsible for keeping passwords secure and
confidential. As such, the following principles must be adhered to for
creating and safeguarding passwords:
- Passwords must never be shared with another individual for any reason or in any manner not consistent with this policy.
- Employees, including system admins, sales reps, or other Symbient Uptime or Lucus Labs individuals, will never ask anyone else for their password. If you are asked to provide your password to an individual or sign into a system and provide access to someone else under your login, you are obligated to report this to Symbient Uptime Security using one of the methods outlined in the Procedures section below.
- Passwords must never be written down and left in a location easily accessible or visible to others. This includes both paper and digital formats on untagged (unsupported) devices. Passwords may be stored in a secure password manager, such as LastPass, as long as the master password is kept private and meets the requirements in Section 3.
- Individuals must never leave themselves logged into an application or system where someone else can unknowingly use their account.
- In the event a password needs to be issued to a remote user or service provider, the password must be sent with proper safeguards (e.g., shared via a secure password manager or sent via an encrypted messaging system).
- If a password needs to be shared for servicing, Symbient Uptime Security should be contacted for authorization and appropriate instruction.
- Passwords must be unique and different from passwords used for other personal services (e.g., banking, social media, email, etc).
- Passwords must be changed at the regularly scheduled time interval (as defined in Section 4). Password Expiration herein, where applicable) or upon suspicion or confirmation of a compromise.
- Passwords must meet the requirements outlined in this policy.
- Individuals with access to service accounts (such as those used for integrations with Symbient Uptime's APIs) or test accounts must ensure the account password complies with this policy and must keep the password stored in a secure password manager.
- If a breach or compromise is suspected, the incident must be reported to Symbient Uptime Security immediately using one of the methods outlined in the Procedures section below.
2. Responsibilities of Systems Processing Passwords
All Symbient Uptime systems - including servers, applications, and
websites that are hosted by or for Lucus Labs - must be designed to
accept passwords and transmit them with proper safeguards.
- Passwords must never be stored in a clear, readable format (encryption must always be used).
- Passwords must never be stored as part of a login script, program, or automated process.
- Systems storing or providing access to confidential data or remote access must be secured with multi-factor authentication.
- Password hashes (irreversible encoded values) must never be accessible to unauthorized individuals.
- Where possible, salted hashes (irreversible encoded values with added randomness) should be used for password encryption.
- Where any of the above items are not supported, a variance request should be submitted to Symbient Uptime Security for review. Appropriate authorizations and access control methods must be implemented to ensure only a limited number of authorized individuals have access to readable passwords.
3. Password Requirements
The following parameters indicate the minimum requirements for passwords
for all individual accounts where passwords are:
- At least ten (10) characters
- Contain at least 1 upper case letter
- Contain at least 1 lower case letter
- Contain at least 1 number
- Contain at least 1 special character (e.g.,!@#$%^&*-_+=)
- Not be the same as any of the user's last four (4) passwords used for accessing Symbient Uptime
- Not based on anything somebody else could easily guess or obtain using person-related information (e.g., names, telephone numbers, dates of birth, etc)
- Not vulnerable to a dictionary attack (see Section 7. Recommendations for Creating Compliant Passwords)
4. Password Expiration
All users of Symbient Uptime, whether employed by Symbient Uptime or
Lucus Labs or not, must adhere to regular password changes and rules as
defined below. Symbient Uptime Security reserves the right to reset a
user's password in the event a compromise is suspected, reported, or
confirmed. This helps prevent an attacker from making use of a password
that may have been discovered or otherwise disclosed.
- Passwords must be changed upon suspicion or confirmation of compromise.
- New passwords must comply with the criteria in Section 3. Password Requirements.
- Passwords that are not service accounts must be changed every ninety (90) days.
- Passwords must not be changed more than one (1) time per day.
- At least four (4) characters must be changed when new passwords are created.
- New passwords must comply with the criteria defined in Section 3. Password Requirements.
Service Accounts and Test Accounts
Service accounts are accounts used by a system, task, process, or
integration for a specific purpose. Test accounts are accounts used
temporarily to imitate a role, person, or training session. Passwords
for service accounts and test accounts must be securely generated under
this policy, distributed securely to the account owner, and stored
securely in a password manager.
- Passwords must be changed upon suspicion or confirmation of compromise.
- Passwords must be changed when an account owner leaves the institution or transfers into a new role.
- Passwords must comply with the criteria defined in Section 3. Password Requirements.
5. Account Lockout
To limit attempts at guessing passwords or compromising accounts, an
account lockout policy is in effect for all systems.
- Accounts will lockout after three (3) invalid password attempts.
- Accounts will remain locked until a merchant/company admin or a Symbient Uptime admin unlocks the account.
- User sessions that have been idle for fifteen (15) minutes will be reset, requiring the user to re-log into their account.
6. Mobile Devices
Mobile devices accessing, storing, or transmitting Symbient Uptime data,
such as smartphones and tablets, shall be registered with Symbient
Uptime and managed by the mobile device management (MDM) platform.
Mobile devices are required to comply with the criteria in Section 3.
Password Requirements.
Biometric authentication (e.g., facial or fingerprint recognition) on
mobile devices may be used to unlock the device, but a compliant
password must still be established.
In certain situations, some device manufacturers may automatically
impose time limitations after several unsuccessful password attempts
before erasing the mobile device (such as after ten (10) invalid
password attempts).
7. Recommendations for Creating Compliant Passwords
To create a password that is compliant with the parameters specified in
this policy, use one of the methods outlined below.
7.1 Use a Passphrase
A passphrase is similar to a password, but is generally longer and
contains a sequence of words or other text to make the passphrase more
memorable. A longer passphrase that is combined with a variety of
character types is exponentially harder to breach than a shorter
password. However, it is important to note that passphrases that are
based on commonly referenced quotes, lyrics, or other sayings are easily
guessable. While passphrases should not be famous quotes or phrases,
they should also not be unique to you as this may make them more
susceptible to compromise or password-guessing attacks.
- Choose a sentence, phrase, or a series of random, disjointed, and unrelated words.
- Use a phrase that is easy to remember. Examples:
- Password: When I was 15, I learned to play the guitar.
- Password: I've owned 3 red cars.
- Password: Snorkel frisbee 5-iron 3-wood!
7.2 Use a Secret Code
A secret code can be used in conjunction with the previous methods
simply by substituting letters for other numbers or symbols. Combining
these methods will make it easy to incorporate the four character types
to meet the password complexity requirements.
- Use a phrase that is easy to remember.
- Capitalize the first letter of every word.
- Substitute letters for numbers or symbols.
- Incorporate spaces or substitute with a different character (such as |, +, -, _, *, etc). Examples:
- Phrase: When I was 5, I learned how 2 ride a bike.
- Password: WhenIwa$5,Ilh0wt0rab1k3.
8. Password Reset Options
You can change or reset your password in the Settings section of
Symbient Uptime by first logging into the system, then clicking your
name in the top-right corner, and choosing Settings. You will be
required to re-enter your current password before updating it to a new
password. If you have forgotten your password, you can contact your
merchant/company admin or Symbient Uptime Support where you'll be
required to authenticate your identity by other means (e.g. by providing
your email address, name, and previous purchases or transactions). You
can also request your password to be reset by going to
https://symbient.online/lostpassword
and following the instructions.
9. Reporting a Suspected Compromise or Breach
If you believe your password has been compromised, or if you have been
asked to provide your password to another individual, including Symbient
Uptime Support or others, promptly notify any of the following support
teams:
- Symbient Uptime Security
- Email: security@symbient.online
- Symbient Uptime Support
- Email: support@symbient.online
You can also notify us from our website at
https://symbient.online/#contact
Filing or reporting a security incident can always be done without fear
or concern for retaliation.