To avoid potential security incidents, Oso requires employees to follow password requirements.
This policy applies to passwords for any application or server accessed by Oso employees, contractors, or vendors. It does not apply to the passwords customers of Oso use to access the Oso service. The Oso service does not permit the use of username and password authentication.
Passwords must be unique for each use.
Default passwords on all systems are changed after installation.
Passwords do not need to be regularly rotated. However, if a password is known or thought to be compromised, it must be rotated to a new password.
Where a third-party application supports single sign-on, it must be used.
Where a third-party application supports multi-factor authentication, it must be used. Use of multi-factor is enforced where possible.
Acceptable forms of multi-factor authentication include authentication apps or a WebAuthn token. Embedded tokens (e.g., TouchID) are permitted. WebAuthn hardware or embedded hardware tokens are preferred to authentication apps.
Oso requires the use of WebAuthn hardware tokens e.g. Yubikeys for authenticating to internal employee-only systems with access to SENSITIVE or CRITICAL data.
Where SSO is not used, and where possible, passwords should be randomly-generated and stored in a password manager.
Passwords should be stored encrypted at rest.
Access to servers, for both production as well as development and testing infrastructure, must be with a password and MFA or with per-user public keys (e.g., SSH keys).
Federated authentication e.g. OIDC or AWS IAM should be used where the possibility exists with automated processes.
Automated processes, including deployment or CI/CD tools that use passwords or API keys to access and communicate with other system should encrypt them at rest.
End user devices must use passwords to encrypt their disks and unlock the device. These must be unique for each individual but may be reused across an individual’s devices.
Access to third party applications must use SSO where possible, MFA where possible, and enforce MFA where possible. Each application must have a randomly-generated password stored in a password manager.
The choice of authentication provider should be selected from the first available option of the following:
@osohq organization membership)An individual’s password for their password management vault must be unique.