Password Policy — LMS Platform

1. General

This Password Policy establishes requirements for the creation, storage, management, and rotation of passwords across all components of the Learning Management System (LMS), including user accounts, administrative panels, API keys, and service accounts.

The policy is based on the following international security standards:

NIST SP 800-63B Rev. 4 (2024) — Digital Identity Guidelines
ISO/IEC 27001:2022, Annex A.9 — Access Control
CIS Controls v8, Control 5 — Account Management
GDPR / Federal Law 152-FZ — Personal Data Protection
OWASP Authentication Cheat Sheet

2. Password Requirements

2.1 Length and Composition

Parameter	Requirement
Minimum length (regular users)	8 characters
Recommended length	8-12 characters
Minimum length (administrators)	12 characters
Maximum length	64 characters minimum
Minimum length (passphrases)	12 characters
Minimum length (service accounts)	24 characters, auto-generated
Allowed characters	All printable ASCII, spaces, Unicode (including emoji)

NIST 2024 Recommendation:

Complexity requirements (uppercase + digits + special chars) and periodic forced rotation (every 90 days) are no longer recommended. Focus on password length and blocklist checking instead.

2.2 Blocklist

The system checks passwords against:

Top 10,000 most commonly used passwords (SecLists, RockYou, etc.)
Passwords found in data breaches (Have I Been Pwned integration where available)
Context-specific passwords: company name, username, email
Sequential/repeated patterns: qwerty, 123456, etc.
Recent 5 previously used passwords

3. Password Lifecycle

3.1 Initial Password

System generates a one-time password (OTP) or sends an activation link
First password expires after 24 hours
Password change is required on first login

3.2 Password Change

Per NIST SP 800-63B (2024 update), periodic forced password rotation is not recommended because it leads to predictable patterns.

Password change is required when:

Compromise is confirmed or suspected
The system detects a breach
An account shows signs of unauthorized access

For service accounts and API keys: rotation every 180 days is recommended.

Password history: the new password must not match the last 5 passwords used.

3.3 Self-Service Password Reset (SSPR)

User clicks "Forgot Password"
System sends a verification code to the registered email
Code is valid for no more than 15 minutes (one-time use)
After resetting, the user must set a new password that passes all checks

3.4 Failed Login Attempts

Parameter	Value
Max failed attempts (regular users)	10
Max failed attempts (admins)	5
Max failed attempts for service accounts	3 (immediate alert)
Lockout backoff	1, 2, 4, 8, 16, 32 min... (exponential)
Session timeout (inactive)	15 minutes
Account unlock	Email/SMS verification or admin reset

4. Multi-Factor Authentication (MFA)

MFA is strongly recommended for all users and mandatory for administrators.

Supported MFA methods (in priority order):

FIDO2 / WebAuthn — hardware security keys (most secure)
Passkeys — device-linked biometric authentication
TOTP — Google Authenticator, Microsoft Authenticator, Authy
Push notifications — with context to prevent MFA fatigue
SMS / Voice OTP — least preferred, vulnerable to SIM swap
Email OTP — only when email is verified

5. Storage and Transmission

5.1 Password Hashing

Passwords are never stored in plain text
Hashing algorithm: Argon2id (preferred), bcrypt (cost ≥ 12), or scrypt
Each password has a unique salt (minimum 128 bits)
MD5, SHA-1, SHA-256 are not used for password hashing

5.2 Transmission Security

TLS 1.2+ required for all connections (TLS 1.3 preferred)
Passwords are never transmitted via insecure channels or in URL parameters
HSTS headers enabled on all LMS endpoints

6. Single Sign-On (SSO)

The LMS supports integration with external identity providers:

Protocols: SAML 2.0, OAuth 2.0 / OpenID Connect (OIDC)
Identity Providers: Microsoft Entra ID (Azure AD), Google Workspace, Okta, Keycloak
MFA for SSO: enforced by the IdP, with mandatory fallback on LMS side

7. Audit and Monitoring

All authentication events are logged:

Successful/failed login attempts (date, time, IP, user-agent, user ID)
Password changes and resets
MFA enrollment/removal
Account lockout/unlock

Alert triggers:

5+ failed logins in 5 minutes from one IP — automatic IP block
Login from a new geolocation — user notification + additional verification
Brute force detected — security team alert

8. User Training

All LMS users are advised to:

Use passphrases: 3-4 random words + number (example: "horse-battery-staple-7")
Use a password manager: Bitwarden (free), 1Password, KeePass
Enable MFA on all accounts
Never share passwords, use "password", "12345678", or the LMS name

9. Compliance and Review

This policy is reviewed and updated:

Annually — as a regular review cycle
When security incidents occur that affect the LMS
When new regulatory requirements emerge (NIST, ISO 27001, national legislation)

Approved by: System Administrator / IT Director

Document Info

Version: 1.0

Effective date: March 21, 2026

Next review: March 2027

Based on NIST SP 800-63B (2024) + ISO 27001