Authorized User Password Policy

2025.1

Reviewed: 12/02/2024
Updated: 12/02/2024

Purpose and Scope:

1. The Password Policy describes the procedure to select and securely manage passwords.
2. This policy applies to authorized users of IMPLAN products; an authorized user is any user that has signed up for an account or had one created for them by IMPLAN personnel
3. This policy applies to authorized users whose user accounts are stored within the IMPLAN managed user database

Background:

1. IMPLAN uses Auth0 for user authentication and management.

Controls and Procedures

Authorized User Password Policy

1. Creation requirements
   a. Create passwords with no fewer than 8 characters, which include characters in three of the four following categories:

   • Upper case letters
   • Lower case letters
   • Numbers
   • Special characters

   b. A password history of five passwords is enforced. Authorized users may not use a password that is one of their past five.

2. Password storage
   a. Authorized user passwords are stored in the user database provided by Auth0
   b. Passwords are encrypted with bcrypt
   c. Passwords are salted and hashed
   d. IMPLAN employees never have access to authorized user passwords

3. Password resets
   a. Password resets can initiated from sign in portal, reachable from https://implan.com

4. Multi Factor Authentication (MFA) is available for all authorized users and is enforced by default.
   a. MFA must use either a one-time password (OTP) or SMS authentication.

5. Single Sign-on
   a. Single Sign-on is provided by IMPLAN as an option to the IMPLAN Cloud.
   b. Customers authenticating to IMPLAN's products using their organization's user store will be governed by the organization's password policies.