Password policy

At Tuist, protecting our systems and data is a top priority. To ensure security, all employees must adhere to the following password requirements:

Password Requirements:

Minimum Length: Passwords must be at least 12 characters long.
Complexity: Passwords must include at least three of the following:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (!, @, #, $, etc.)
Avoid Common Passwords: Do not use easily guessable passwords (e.g., "password," "123456," names, or birthdays).
Unique Passwords: Each account must have a unique password. Never reuse passwords across different services or accounts.

Use of Password Managers: Employees are required to use 1Password for storing and generating passwords securely.
No Written or Shared Passwords: Passwords must never be written down or shared. If you need to grant access, use secure methods (e.g., temporary access management tools).

Regular Updates: Passwords should be updated every 90 days, or immediately if a potential breach is suspected.
Compromised Passwords: If a password is suspected to be compromised, it must be changed immediately and reported to the CISO.

Mandatory MFA: All employees must enable Multi-Factor Authentication (MFA) wherever possible for added security, particularly for sensitive systems (e.g., email, project management tools, cloud storage).

Random Audits: The CIO will perform periodic audits to ensure compliance with the password policy.
Non-Compliance: Failure to comply with the password policy may result in disciplinary action.

If you suspect any suspicious activity, security breaches, or compromised passwords, report it immediately to the CIO or CISO.

The version history of this document can be found in Tuist's handbook repository.