Skip to main content

Password Control Policy

Source basis

Ported from policies/Core 12 Security Policy - Password Control Standards.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.

Core 12 passwords, passkeys, recovery codes, API keys, tokens, client secrets, private keys, MFA backup codes, and similar authentication material must be protected as security-sensitive information. They must be stored only in an approved password manager or approved secret-management system.

Potentially compromised passwords or secrets must be changed immediately and reported to the Information Security Officer.

Approved Tools

  1. Apple Passwords is the preferred password manager for Core 12 users and must be used when it can reasonably support the account, service, or shared-access workflow.
  2. 1Password and LastPass are acceptable password managers for individually assigned credentials when Apple Passwords is not practical or when a client, vendor, or approved business workflow requires one of those tools.
  3. Shared Core 12 passwords and shared access groups must use Apple Passwords. 1Password, LastPass, spreadsheets, documents, chat messages, email, tickets, or browser-only saved-password stores may not be used as the system of record for shared Core 12 credentials.
  4. Microsoft Authenticator and Google Authenticator are approved authenticator applications. Apple Passwords may also be used for passkeys and verification codes where supported.
  5. Authentication material must not be stored in unapproved files, notes, screenshots, source code, AI prompts, personal cloud drives, or exported password-manager files unless the export is explicitly approved for a time-limited migration or recovery activity.

Individual Credentials

  1. Individual credentials must be assigned to one person and must not be shared with another person.
  2. Users must store Core 12 passwords and secrets in an approved password manager rather than writing them down or saving them in unapproved locations.
  3. MFA must be enabled wherever the system supports it. Approved methods are passkeys, authenticator apps, platform authenticators, hardware security keys, or other Information Security Officer-approved methods. SMS and email codes may be used only when stronger MFA methods are not available.
  4. Passwords must be unique per system and generated by the approved password manager where possible.
  5. Passwords must meet the stronger of the system requirement or Core 12's minimum: at least 14 characters for manually created passwords, or at least 20 characters for generated passwords where the system supports it.
  6. Initial authentication information, temporary passwords, invite links, and recovery material must be changed or claimed promptly by the assigned user and then stored in the approved password manager.
  7. Password rotation is required when compromise is suspected, a person with access leaves or changes roles, a shared credential membership changes, a vendor requires rotation, or the Information Security Officer directs rotation. Routine rotation is not required solely because a password reached a fixed age when the credential is unique, strong, stored in an approved manager, and protected by MFA.

Shared Credentials and Apple Password Groups

  1. Shared credentials must be avoided when a system supports named user accounts, SSO, delegated administration, or role-based access.
  2. When shared credentials are required, the Information Security Officer or delegated service owner must approve the shared credential before use.
  3. Core 12 uses the Apple Account services@core12.com to create and administer Apple Passwords shared groups for company-managed shared credentials.
  4. The services@core12.com account manages shared-group membership and access assignment. Administrative access to this account must be limited to approved personnel, protected with MFA, and reviewed with other privileged accounts.
  5. Approved Apple Passwords shared groups are:
    • Admin
    • IT
    • Clients
    • Marketing
    • Team (all Core 12)
  6. The shared service owner is responsible for creating, maintaining, rotating, and removing the credential for the account they own and for sharing it only with the appropriate Apple Passwords group.
  7. Shared credentials must include enough context in the password-manager record for authorized users to identify the service, owner, use case, related client if applicable, and recovery requirements.
  8. Shared credentials must be removed from the group, rotated, or replaced when group membership changes create a risk, when an employee leaves Core 12, when access is no longer required, or when compromise is suspected.

Prohibited Shared Stores

  1. Shared password spreadsheets, including OneDrive Excel workbooks, are not approved shared-password stores.
  2. Existing shared-password spreadsheets must be migrated into the appropriate Apple Passwords shared group, then access to the spreadsheet must be removed or the spreadsheet must be securely retained only as approved historical evidence.
  3. The migration owner must verify that spreadsheet copies, exports, downloaded files, and local caches are removed where practical after migration.

Management Repo Use

  • Track approved password managers, authenticator applications, and the services@core12.com shared-password administration model as IT service or access-control records in core12-isms-management.
  • Track shared credential owners, group assignment decisions, exceptions, and reviews through service, personnel, or access-review records.
  • Open risks for shared credentials that cannot be replaced by named accounts, missing MFA, unapproved password-manager use, or incomplete migration from legacy shared-password stores.