Password policy
At Tuist, protecting our systems and data is a top priority. To ensure security, all employees must adhere to the following password requirements:
Password Requirements:
- Minimum Length: Passwords must be at least 12 characters long.
- Complexity: Passwords must include at least three of the following:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (!, @, #, $, etc.)
- Avoid Common Passwords: Do not use easily guessable passwords (e.g., "password," "123456," names, or birthdays).
- Unique Passwords: Each account must have a unique password. Never reuse passwords across different services or accounts.
Password Storage
- Use of Password Managers: Employees are required to use 1Password for storing and generating passwords securely.
- No Written or Shared Passwords: Passwords must never be written down or shared. If you need to grant access, use secure methods (e.g., temporary access management tools).
Password Updates
- Regular Updates: Passwords should be updated every 90 days, or immediately if a potential breach is suspected.
- Compromised Passwords: If a password is suspected to be compromised, it must be changed immediately and reported to the CISO.
Multi-Factor Authentication (MFA)
- Mandatory MFA: All employees must enable Multi-Factor Authentication (MFA) wherever possible for added security, particularly for sensitive systems (e.g., email, project management tools, cloud storage).
Monitoring and Compliance
- Random Audits: The CIO will perform periodic audits to ensure compliance with the password policy.
- Non-Compliance: Failure to comply with the password policy may result in disciplinary action.
Reporting Security Incidents
If you suspect any suspicious activity, security breaches, or compromised passwords, report it immediately to the CIO or CISO.
Version history
The version history of this document can be found in Tuist's handbook repository.