Password Policy

Overview

Passwords are an essential and important aspect of our overall cyber security program. Passwords are the front line of protection for user accounts and access to critical systems and applications. All Essex Property Trust employees, contractors and vendors are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

The purpose of this policy is to establish a standard for creation of strong, complex passwords, the protection of those passwords and the frequency of change.

Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Essex Property Trust location, has access to the Essex Property Trust trusted network, has access to any application that is accessed via the Essex Property Trust Networks or stores any non-public Essex Property Trust information. 

Policy

General

  • All user passwords (e.g., Applications (such as Yardi and Workday, et al.) must be changed every 180 days.
  • Windows user passwords must be changed every 180 days. This is enforced within Active Directory.
  • User passwords must have at least a minimum 11 characters and must be unique for the last four password changes. This is enforced within Active Directory.
  • User passwords must contain a mix of at least one each of:
    • Upper & Lower-Case letters
    • Numbers
    • Punctuation & Special Characters
  • All user and system passwords must conform to the guidelines described below.

Guidelines

General Guidelines

Passwords are used for various purposes at Essex. Some of the more common uses include user accounts, screen saver protection and voicemail password.  
Weak passwords have the following characteristics:
  • The password contains less than eight characters
  • The password is a word found in a dictionary (English or foreign)
  • The password is a common usage word or number such as: names of family, pets, friends, co-workers, fantasy characters, birthdays, addresses, phone numbers and other personally significant dates and numbers
  • Computer terms and names, commands, sites, companies, hardware, software
  • The words "Essex", "sanjose", "sanfran", town names or similar
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc
  • Any of the above spelled backwards
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics: 
  • Contain both upper and lower-case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~- =\'{}[]:";'<>?,./)
  • Are at least eleven (11) alphanumeric characters long
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.
  • Passwords should never be written down, saved on a post-it note, written on paper and placed in a drawer or under a keyboard or stored on-line.
  • Create passwords that can be easily remembered by you. One way to do this is create a password based on a song title, affirmation or other phrase. For example, the phrase might be: "This May Be One Way To Remember You and Me" and the password could be: "TmB1w2Ru&m!" or "Tmb1W>r~u1m2" or some other variation.
NOTE: Do not use either of these examples as passwords!

Password Protection Standards

Do not use the same password for Essex accounts as for non-Essex accounts (e.g., personal ISP/internet account, banking, social media, option trading, benefits, etc.). 
Do not share Essex passwords with anyone, including administrative assistants or secretaries. If need be, calendar and contact sharing can be setup with your administrative assistant using built-in tools provided by the software manufacturer. All passwords are to be treated as sensitive, Confidential Essex information.
Here is a list of "don’ts":
  • Don't reveal a password over the phone to ANYONE
  • Don't reveal a password in an email message
  • Don't reveal a password to the boss
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms
  • Don't share a password with family members
  • Don't reveal a password to co-workers while on vacation
If someone demands a password, refer them to this document or have them call the Corporate Service Desk.
Do not use the "Remember Password" feature of applications (e.g. Internet Explorer).
Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including mobile devices or similar devices) without encryption.
If an account or password is suspected to have been compromised, report the incident to the Corporate Service Desk and change all your passwords.

Enforcement Testing

Adherence to this policy will be managed and monitored through Active Directory to ensure that the above requirements are being continuously met.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

Last updated: June 8, 2020


 

June 10, 2020