User IDs or User Names and Passwords are considered to be unique and confidential information and sharing is thereby strictly prohibited.
Application interface user IDs fall under the scope of this policy.
Transmission of authentication credentials must occur over encrypted channels.
Unencrypted storage or communication of authentication credentials is strictly prohibited.
In application support scenarios where external entities (non-CA, such as customers or vendors) communicate authentication credentials:
Communication of authentication credentials should occur via dual-band methods, e.g. send username via email and password via phone. Do not post credentials directly in a support case activity notes.
If credentials are sent in the clear:
They will be immediately removed
Negative confirmation will be sent to the sender including CA Policy citing
Unique User ID or User Name MUST be created for each individual. User ID or User Name sharing is strictly prohibited. Any exceptions require a Technical and Business justification. For system user ID’s password knowledge must be limited to a restricted set of authorized users.
8 character long (minimum)
Combination of letters & numbers
Must have at least one Upper case letter
Must have at least one numeric character
Must have one special character
Passwords expire every 90 days
Account not used for 90 days will be disabled
Account will be disabled after 10 retries and will require approved ticket to reactivat