Sorry, you need to enable JavaScript to visit this website.

octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

-A +A
Bookmark and Share

Password Management Policy


Approved Date – 02/22/2021
Published Date – 02/22/2021
Reviewed Date – 06/09/2026

1. Purpose

Specify the minimum standards for password creation and ensure the proper and consistent life cycle management of all District of Columbia Government (“District”) passwords by their associated District workforce member.

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at https://code.dccouncil.gov/us/dc/council/code/sections/1-1402.

3. Applicability

This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. In addition, this policy applies to any provider or third-party entity with access to District information, networks, and applications.

4. Policy

Each agency must implement a secured password process for all District workforce members with access to the District’s network (hereafter known as users), which must require the following: 

4.1. Password Standard for the District 

4.1.1. Minimum Password Length 

Passwords must have a minimum of 14 characters. If a system will not support 14character passwords, then the maximum number of characters allowed by that system must be used. 

4.1.2. Password Composition 

Passwords must not consist of the user’s publicly known information (e.g., last name, birthdays, home address, alma mater, pet name, aliases, etc.). 

4.1.3. Password Complexity 

Passwords must be complex using the guidelines below: 

  • Passwords must have at least one numeric character (0-9).
  • Passwords must have at least one uppercase and at least one lowercase alphabetic character (A-Z, a-z).
  • Passwords must have at least one special character (Example: !, $,*,#,^, or @).
  • Passwords with strong complexities as defined above do not need to expire.

4.2. Password Management for all users 

4.2.1. Password Storage

  • Users must never write down or record passwords along with associated usernames and/or account information.
  • Users must not save passwords to unencrypted computer applications such as emails. The use of an encrypted password management application is acceptable (Please contact OCTO for the list of approved password management applications for the District).

4.2.2. Password Reuse 

  • Users are prohibited from re-using the last 6 previously used passwords. 
  • Users must take steps to prevent the compromise of his/her password. On the suspicion of a compromise, or in the event of an actual compromise, the user must immediately change his/her password. 
  • Users must ensure that their username and password(s) used for DC Government accounts are not used for any personal accounts and/or services. 

4.2.3. Password Sharing and Transfer 

  • Users must not transfer or share passwords with others unless the user obtains appropriate authorization to do so. 
  • Users must take reasonable measures to protect passwords from unauthorized access when it is necessary to disseminate passwords in writing. (For example, after memorizing the password, the user must destroy the written record.) 
  • Users must take measures to ensure that the password is not overheard by unauthorized individuals when verbally communicating a password to an authorized individual. 

4.2.4. Electronic Transmission 

Users must ensure that passwords are not transferred electronically over the Internet using insecure methods. Wherever possible, security protocols including FTPS, HTTPS, IPSEC, etc. must be used. 

4.2.5. Change after Compromise or Disclosure 

  • Users are required to change their password when there is suspicion that the account password has in some way been compromised or disclosed. 
  • Users are required to notify the system administrator when there is evidence of a data breach. 

4.3. Password Management for System Administrators 

4.3.1. Required Passwords for Login 

System administrators must ensure that all systems require that the user authenticates with a valid password before he can log in. All devices with public access, separated from administrative accounts, and with extremely restricted permissions (e.g., web only) are exempted from this requirement. 

4.3.2. Systems Default Passwords 

System administrators must change default passwords for administrative accounts and deploy multi-factor authentication (MFA) for user logon. 

4.3.3. Password Protection 

  • System administrators must harden their systems to prevent password cracking by using technical controls to mitigate “brute force” password attacks.
  • System administrators must enforce a limit of three (3) consecutive invalid logon attempts by a user during a 120-minute period; and automatically lock the account for 15 minutes or until released by the administrator when the maximum number of unsuccessful attempts is exceeded.

4.3.4. Logging 

System administrators must ensure that measures be put in place to log successful and failed login attempts. Password logs must be kept for no less than 7 years. 

4.3.5. Periodic Password Change 

System administrators are permitted to implement a timeline for password change of the agency’s workforce members based on the determined level of assessed risk. 

4.3.6. Password Change after Compromise or Disclosure 

System administrators must promptly reset system passwords in the event of, or on the suspicion of, a compromise or disclosure. 

4.4. Password Management for Application Developers 

4.4.1. Require Secure Transmission 

Application developers must, whenever required, develop applications that require secure protocols for authentication. 

4.4.2. Storing Passwords 

Application developers must avoid creating applications that store passwords. If password storage is necessary, the password must not be stored in clear text or in an easily decrypted format (example: salted hash)

4.4.3. Unique User Accounts and Passwords 

Application developers must ensure that applications support unique user accounts and passwords. Multiple users must not be required to share the same password to use the application. 

4.4.4. Single Sign-On (SSO) 

Application developers must ensure that applications, whenever capable, utilize District approved single sign-on platform for authentication that is based on Active Directory instead of creating another unique ID or username repository.

5. Exemptions

Exceptions to this policy must be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval. 

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website

Attachment(s): 
PDF icon Password Management Policy

More Resources