Password Policy


Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of Tuxis's resources. All users, including contractors and vendors with access to Tuxis systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.


The purpose of this policy is to establish a standard for creation of strong passwords and the protection of those passwords.


The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Tuxis facility, has access to the Tuxis network, or stores any non-public Tuxis information.


Password Protection

  • Passwords must not be shared with anyone. All passwords are to be treated as sensitive, Confidential Tuxis information.
  • Do not write passwords down and store them anywhere in your office.
  • When passwords are stored in a file on a computer system or mobile devices (phone, tablet) it must have an AES 256 bits encryption or better.
  • The "Remember Password" feature of applications (for example, web browsers) must be protected with a master password. The application must encrypt the stored passwords.
  • Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

Password Creation

  • All user-level and system-level passwords must conform to the Password Construction Guidelines.
  • Users must not use the same password for Tuxis accounts as for other non-Tuxis access (for example, personal ISP account, option trading, benefits, and so on).
  • Where possible, users must not use the same password for various Tuxis access needs.
  • All passwords should meet or exceed the following guidelines
  • Contain at least 12 alphanumeric characters.
  • Contain both upper and lower case letters.
  • Contain at least one number (for example, 0-9).
  • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:";'<>?,/).
  • Cannot be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
  • Must not contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
  • Must not contain work-related information such as building names, system commands, sites, companies, hardware, or software.
  • Must not contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
  • Must not contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
  • May not be some version of “Welcome123” “Password123” “Changeme123”