Password Policy
Access to systems is granted through personal accounts managed in a central directory service. The following password policy is enforced within the directory service:
• The minimum length is 10 characters, and four character types (uppercase letter/lowercase letter/number/special character) must be used.
• A minimum length of 8 characters is allowed if at least three character types are used and multi-factor authentication is additionally employed.
• Access is permanently locked after three incorrect password attempts. Users can unlock it themselves via multi-factor authentication using a "Self-Service Password Reset" feature. Instructions for use are available here. Prerequisite is a configured, secure multi-factor authentication.
• Passwords from the private domain must not be used.
• Passwords must be kept confidential and must not be shared with others.
• Individual passwords must be used for each IT system or application. Ideally, they should be stored in a password manager. Vollers General IT provides Microsoft Edge linked to the personal main account across devices for this purpose. A description of its use is available here. For advanced requirements in certain work areas, a specialized password manager may be provided.
• Passwords must not be stored publicly or unencrypted.
• If a password might have been exposed to others, it must be changed immediately.
• If an initial password is provided for first-time login, it must be replaced with a personal password. This applies equally to codes on smartphones and tablets.
• When changing passwords, old passwords must not be reused; this is technically enforced.
• Trivial passwords must not be used, examples include:
o Can be easily associated with the user, such as names and birthdates of relatives, pets, etc.
o Repetitive or keyboard patterns like "asdfghjkl" or "123456"
• The use of private email addresses for communication with Vollers addresses is generally prohibited. Exceptions apply for extraordinary events such as illness. Such emails may be blocked by the mail gateway if necessary.
Copyrighted data must not be sent, forwarded, or otherwise distributed.