Authorized User Password Policy
2025.1
Reviewed: 12/02/2024
Updated: 12/02/2024
Purpose and Scope:
- The Password Policy describes the procedure to select and securely manage passwords.
- This policy applies to authorized users of IMPLAN products; an authorized user is any user that has signed up for an account or had one created for them by IMPLAN personnel
- This policy applies to authorized users whose user accounts are stored within the IMPLAN managed user database
Background:
- IMPLAN uses Auth0 for user authentication and management.
Controls and Procedures
Authorized User Password Policy
Creation requirements
a. Create passwords with no fewer than 8 characters, which include characters in three of the four following categories:- Upper case letters
- Lower case letters
- Numbers
- Special characters
b. A password history of five passwords is enforced. Authorized users may not use a password that is one of their past five.
Password storage
a. Authorized user passwords are stored in the user database provided by Auth0
b. Passwords are encrypted with bcrypt
c. Passwords are salted and hashed
d. IMPLAN employees never have access to authorized user passwordsPassword resets
a. Password resets can initiated from sign in portal, reachable from https://implan.comMulti Factor Authentication (MFA) is available for all authorized users and is enforced by default.
a. MFA must use either a one-time password (OTP) or SMS authentication.Single Sign-on
a. Single Sign-on is provided by IMPLAN as an option to the IMPLAN Cloud.
b. Customers authenticating to IMPLAN's products using their organization's user store will be governed by the organization's password policies.