Password & Access Security Policy

1. Purpose

This policy defines how passwords and account access must be created, stored, and shared within Grow Social Capital. The goal is to reduce the risk of unauthorised access, data breaches, and operational disruption.

---

2. Core Principles

• Passwords are a primary line of defence and must be treated as sensitive information at all times.
• Access to systems should always be traceable to an individual user wherever possible.
• Convenience must never override security when handling credentials.

---

3. Password Storage (Mandatory)

All passwords must be stored in:

• Vaultwarden at: https://vault.growsocialcapital.org.uk

The following are strictly prohibited:

• Writing passwords on paper
• Storing passwords in notebooks, spreadsheets, or documents
• Saving passwords in browsers without Vaultwarden
• Sharing passwords via email, chat, or messaging platforms

Vaultwarden is the single source of truth for all credentials.

---

4. Password Requirements

All passwords must meet the following minimum standard:

• At least 16 characters long

• Must include:

  • Uppercase and lowercase letters
  • Numbers
  • Special characters

Passwords should be:

• Randomly generated using Vaultwarden
• Unique for every account (no reuse)

---

5. Account Access & Sharing

5.1 Preferred Approach (Required Standard)

Wherever possible:

• Create individual user accounts for each team member
• Assign appropriate permissions instead of sharing credentials

This ensures:

• Accountability
• Auditability
• Reduced security risk

5.2 Password Sharing (Last Resort Only)

Passwords may only be shared if:

• There is no technical way to add a user account
• The access is essential for business operations

When sharing is unavoidable:

• Use Vaultwarden secure sharing features
• Never send passwords in plain text
• Limit access to only those who need it
• Remove shared access as soon as it is no longer required

---

6. Multi-Factor Authentication (MFA)

MFA is mandatory wherever it is available.

This means:

• Accounts must use a second verification method (e.g. authenticator app, SMS, hardware key)
• Vaultwarden should be used to store backup codes where applicable

MFA significantly reduces the risk of account compromise, even if a password is exposed.

---

7. Why This Matters (Real-World Risks)

Weak password practices are one of the most common causes of cyber incidents.

For example:

• The British Library suffered a major cyberattack in 2023 that caused prolonged service outages and data disruption. Attacks like this often begin with compromised credentials.
• Ransomware groups frequently gain access through reused or weak passwords, then lock organisations out of their own systems.
• Phishing attacks trick users into revealing passwords, which can then be used to access multiple services if passwords are reused.

These incidents lead to:

• Loss of data
• Operational downtime
• Financial cost
• Reputational damage

Strong password management and MFA are among the most effective ways to prevent these outcomes.

---

8. Compliance

All staff, contractors, and collaborators must follow this policy.

Failure to comply may result in:

• Removal of system access
• Disciplinary action where appropriate

---

9. Summary

• Use Vaultwarden only for password storage
• Create strong, unique passwords (16+ characters)
• Do not write passwords down or store them elsewhere
• Do not share passwords unless absolutely necessary
• Use MFA everywhere it is available
• Prefer individual user accounts over shared credentials

Security is a shared responsibility. Following this policy protects both Grow Social Capital and the people we work with.