Password Management
Healthy.io's computers do not display passwords when employees enter them. Healthy.io transmits passwords only when cryptographically protected and stores passwords using an approved hash algorithm. It avoids the use of third parties or unprotected (clear text) electronic mail messages to disseminate passwords, and users acknowledge receipt of passwords. The company documents password policies applicable to mobile devices, enforces them through technical controls on all company devices or devices approved for BYOD usage, and prohibits changing password/PIN lengths and authentication requirements.
Healthy.io changes passwords for default system accounts, at first log-on following the issuance of secure temporary passwords, when there is a suspected compromise, and no less than every 90 days for regular and privileged accounts. It verifies user identities before performing password resets.
Healthy.io maintains a list of commonly-used, expected, or compromised passwords. It updates the list (i) at least every 180 days and (ii) when it suspects the (direct or indirect) compromise of organizational passwords, enabling users to select long passwords and passphrases, including spaces and all printable characters. Healthy.io employs automated tools to assist the user in selecting strong passwords and authenticators. When users create or update passwords, Healthy.io verifies that they are not on its defined list of commonly-used, expected, or compromised passwords.
The password management system requires individual user IDs and passwords:
Forces a password change at initial log-on;
Does not display passwords when entered;
Requires users to change vendor-supplied default passwords before 'going live;'
Enables users to select and change their own passwords;
Includes a confirmation procedure to allow for input errors.
Automated log-on processes do not include passwords, and during transmission and storage on all system components, the system encrypts passwords.
Users sign a statement acknowledging their responsibility to keep passwords confidential. Temporary passwords are unique and not guessable. Healthy.io requires complex passwords with a minimum length of ten characters and contain both numeric and alphabetic characters and an equivalent strength (entropy). Healthy.io changes passwords no less than every 90 days for regular and privileged accounts. It prevents password reuse for at least four generations. It sets passwords/passphrases for first-time use, and upon reset to a unique value for each user, it changes them immediately after the first use.
Healthy.io allows generating a password only using the default company vault password management software. This solution enables users to select long passwords and passphrases, including spaces and all printable characters, and employs automated tools to assist the user in choosing strong passwords and authenticators.