Purpose: The purpose of this policy is to ensure that only authorized users gain access to Nested Knowledge’s information systems.
Scope: This policy affects all employees of this Nested Knowledge and its subsidiaries, and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.
Affected Systems: This policy applies to all computer and communication systems owned, operated, or accessed by Nested Knowledge and it’s subsidiaries. Systems include company shared drives, purchased software, as well as access to the Nested Knowledge AutoLit review platform. Similarly, this policy applies to all platforms (operating systems) and all application systems.
Internal Password Policy #
Application Passwords – All internet-accessed applications, including applications developed internally by Nested Knowledge, must be password protected.
Changing Passwords – All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties. Nested Knowledge leverages compromised credential databases with automated alerting, and a positive match requires an immediate change.
Sharing Passwords – Passwords must be kept confidential and may not be shared among users. Users are prohibited from recording passwords in an unencrypted medium, like a notetaking application, email, mobile phone, or piece of paper. Company credentials, including work email and other work accounts, may not be used on personal websites.
Password Storage – Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls
Password Complexity #
Passwords must:
- be at least 12 characters long
- contain a mix of at least three of the following characters:
- uppercase
- lowercase
- numeric
- non-alphanumeric
- not match your user name or email
These rules are enforced in all software offering such a configuration.
Application Password Policy #
Application Passwords – All programs, including third party purchased software and applications developed internally by Nested Knowledge must be password protected.
User Authentication #
All systems will require a valid user ID and password. All unnecessary operating system or application user IDs not assigned to an individual user will be deleted or disabled.
As described in our Secure Development Policy, Nested Knowledge does not manage user passwords or authentication (handled by Auth0 and Auth0 Lock). All communications with Auth0 from the client are encrypted (TSL), ensuring passwords are not communicated in plain text. Passwords stored by Auth0 are similarly salted & encrypted (bcrypt). Communications relayed by the client are similarly encrypted & RSA signed.
Choosing Passwords #
All user-chosen passwords must contain at least one alphabetic character, one number, and one special character. Passwords must contain a minimum of 8 characters. For Google Sign In and SSO users, password rules are enforced by the IdP.
Password Expiration Time #
The company does not currently have a Password Expiration Time policy; Google and Auth0 may require users to change their passwords at required intervals, but the company defers to these provider’s policies with respect to password expiration.
The company will review the Password Expiration Time policy periodically to ensure that long-term exposures are minimized.
Password Constraints #
The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After multiple unsuccessful attempts to enter a password, the involved account and involved IP(s) are locked for a set period of time, per Auth0 Brute Force Prevention rules.
Changing Passwords #
Passwords are invalidated, requiring reset flow, if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties.
Sharing Passwords #
Passwords must be kept confidential and may not be shared among users, just as with user accounts.
Revision History #
| Author | Date of Revision/Review | Comments/Description |
|---|---|---|
| K.Cowie | 10/25/2024 | Revised |
| K. Cowie | 10/06/2023 | Minor revisions |
| K. Kallmes | 11/19/2021 | Initial Draft approved |
| K. Cowie | 09/01/2022 | Draft approved |
| K. Holub | 12/12/2025 | Review; clarified internal and external |
