Optizio Password Policy
(Based on OWASP ASVS 4.0 Section V2.1 Password Security Requirements)
Purpose
This policy establishes password requirements for all systems and accounts managed by Optizio, in accordance with the OWASP Application Security Verification Standard (ASVS) 4.0, section V2.1. Where Optizio relies on third-party services (e.g., Shopify, cloud providers), these requirements are implemented to the fullest extent possible within the capabilities of those services.
Scope
This policy applies to all Optizio-managed systems, applications, and accounts, including employee, contractor, and administrative access, as well as any custom authentication implemented in Optizio’s Shopify apps.
Policy Requirements
1. Password Length and Complexity
- User-set passwords must be at least 12 characters in length after combining multiple spaces.
- Passwords up to 64 characters must be permitted; passwords longer than 128 characters may be denied.
- No truncation of passwords is allowed (except for replacing consecutive spaces with a single space).
- Any printable Unicode character, including spaces and emojis, must be allowed in passwords.
- There are no composition rules—users are not required to include upper/lowercase, numbers, or special characters.
2. Password Management
- Users must be able to change their passwords at any time.
- Password change functionality must require the current password and the new password.
- Passwords must not be rotated or changed periodically unless there is evidence of compromise.
- No password history is enforced.
3. Password Quality and Usability
- Passwords submitted during registration, login, and change must be checked against a list of breached passwords (locally or via a privacy-preserving external API).
- If a breached password is detected, the user must be required to set a new, non-breached password.
- A password strength meter must be provided to help users choose stronger passwords, where technically feasible.
- Password paste functionality, browser password helpers, and external password managers must be permitted.
- Users must be able to temporarily view their masked password or the last typed character, where the platform allows.
4. Initial and System-Generated Passwords
- System-generated initial passwords or activation codes must be securely random, at least 6 characters, and expire after a short period. They must not become long-term passwords.
5. Credential Recovery
- Activation or recovery secrets must never be sent in clear text.
- Password hints and knowledge-based authentication (“secret questions”) are not permitted.
- Password recovery processes must never reveal the current password.
- Shared or default accounts (e.g., “admin”, “root”) are not permitted.
- Secure notification must be sent to users after any authentication factor is changed or replaced.
- Forgotten password and recovery paths must use secure mechanisms such as TOTP, mobile push, or other secure offline recovery methods.
6. Third-Party Service Limitations
- Where Optizio relies on third-party authentication (e.g., Shopify platform, cloud services), password policies are enforced to the extent allowed by those services. Any limitations will be documented and monitored for future improvements.
Enforcement and Review
- This policy is reviewed annually or upon significant changes to authentication technology or business operations.
- Violations of this policy may result in disciplinary action.
References