To ensure the security and integrity of data at MakeWay Foundation (“MakeWay”), all employees and personnel with access to MakeWaySystems (digital tools, platforms, and technologies the organization uses to support its operations, communication, data management, and service delivery) are required to follow the password policies outlined below. These measures are crucial for protecting staff, securing our resources, maintaining data integrity, preserving the confidentiality of sensitive information, and preventing fraud.

The purpose of this policy is to protect MakeWay resources through the implementation of robust password practices, including the creation of strong passwords and a process of safeguarding those passwords.

This policy applies to all staff, contractors, and anyone with any form of account requiring a password on MakeWay systems. In addition, any device used by staff, contractors, or any agent acting on behalf of MakeWay which has access to MakeWay resources must have a secure way to access the device.

4.01        Best Practices for the creation of passwords:

• Length: 15-64 characters are recommended.
• Character types: Nonstandard characters (! @ # $ % ^ & * etc…)
• Construction: Long passphrases are encouraged.
• Reset: Required only if the password is compromised or forgotten.
• Multi Factor Authentication (MFA): Encouraged in all but the least sensitive applications.
• Random passphrases provide the best combination of memorability and security.

We recommend that you use passphrases, as they are longer and easier to remember than a password made up of random, mixed characters. 

5.01    Do not give your password(s) out to anyone under any circumstances through any medium. MakeWay, and the Information Systems Team (“IS”) does not need your password, and should not ask for it. IS is able to provide support to your account, computer, and systems without knowing your password. 
Your initial MakeWay Account password (Microsoft), upon creation of your account, should be changed immediately and protected with MFA.

• Occasionally, IS could ask for your laptop PIN, which still protects your password. 
• Keep your makeway.org (Microsoft) account password in memory only.
• Use a unique password for every platform.
• Keep your password physically hidden when typing it in a public setting.
• If managing multiple passwords is an issue, or shared departmental accounts must be used, a password manager should be used to manage credentials securely. Consult with IS about your needs.

5.02        Any device used by staff, contractors, or any agent acting on behalf of MakeWay which has access to MakeWay resources must have a secure way to access the device such as biometric authentication for a phone, PIN on a laptop or phone, or basic Pin protection on a smart watch.

6.01        If a user suspects that their password may have been disclosed or compromised in any way, it is important to report the incident immediately to IS by emailing [email protected]. Users must not use the compromised password and follow the organization's incident response procedures for password resets and security measures. Prompt reporting of password compromises is essential to mitigate the risk of unauthorized access and protect the security of MakeWay resources and data.