Password Policy
Overview
Strong passwords are a fundamental component of MenoTime's security posture. This document defines password requirements for both AWS IAM accounts and application accounts used by healthcare providers and staff.
Golden Rule: Never share, store, or commit credentials. All credentials must be managed through AWS Secrets Manager.
AWS IAM Password Policy
All AWS IAM users at MenoTime must comply with the following mandatory password policy. This policy is enforced at the AWS account level.
Password Requirements
| Requirement | Value | Purpose |
|---|---|---|
| Minimum length | 14 characters | Increases brute-force attack difficulty |
| Uppercase letters | Required (A-Z) | Increases character set entropy |
| Lowercase letters | Required (a-z) | Increases character set entropy |
| Numbers | Required (0-9) | Increases character set entropy |
| Symbols | Required (!@#$%^&*) | Maximizes entropy and complexity |
| Password expiration | 90 days | Forces regular password rotation |
| History | 24 previous passwords | Prevents reuse of old passwords |
| Grace period | 1 day (before expiration warning) | Allows users to change password before forced reset |
Example Valid Passwords
✓ TL@Menop2024#Bio
✓ Biotech$Secure44Pwr
✓ TimelessP@ss2024#Health
Example Invalid Passwords
✗ Password123 — Too short (11 chars), missing symbol
✗ password@2024 — Missing uppercase letter
✗ TIMELESS@2024 — Missing lowercase letter
✗ Timeless2024! — Repeats across environments (see below)
Setting the AWS IAM Password Policy
The IAM password policy is managed centrally and applies to all IAM users. To view or update the policy, the AWS Account Administrator must use the following AWS CLI command:
View Current Password Policy
aws iam get-account-password-policy
Set Password Policy (AWS CLI)
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password \
--expire-passwords \
--max-password-age 90 \
--password-reuse-prevention \
--hard-expiry false \
--history-size 24
Parameters Explained
--minimum-password-length 14— Minimum 14 character password--require-symbols— Must include special characters (e.g., !@#$%^&*)--require-numbers— Must include 0-9--require-uppercase-characters— Must include A-Z--require-lowercase-characters— Must include a-z--allow-users-to-change-password— Users can change own passwords--expire-passwords— Enable password expiration--max-password-age 90— Passwords expire after 90 days--password-reuse-prevention— Prevent reuse of last 24 passwords--hard-expiry false— Users can continue logging in after expiration until reset (grace period)--history-size 24— Maintain history of 24 previous passwords
Application Password Policy
Healthcare providers and application users who access MenoTime through the web interface must also follow strong password standards.
Application Password Requirements
| Requirement | Value |
|---|---|
| Minimum length | 12 characters |
| Uppercase letters | Required |
| Lowercase letters | Required |
| Numbers | Required |
| Symbols | Recommended |
| Password expiration | 180 days |
| Password history | 5 previous passwords |
Guidance for Providers
- Use a unique password — Never reuse passwords across different systems or accounts
- Use a password manager — Consider using KeePass, 1Password, or Bitwarden to store passwords securely
- Change password immediately if compromised
- Never share application credentials with colleagues (create separate accounts for each user)
- Request password reset if you forget your password; do not write it down
Password Storage Standards
MenoTime never stores passwords in plain text. All passwords are hashed and salted using industry-standard algorithms.
Hashing Algorithm
Algorithm: Argon2id (preferred) or bcrypt (acceptable alternative)
- Argon2id: OWASP-recommended password hashing algorithm; provides memory-hard protection against GPU/ASIC attacks
- bcrypt: Industry standard; acceptable for legacy systems; provides salt and work factor (rounds=12+)
Implementation Example (Pseudocode)
// User registration
password = "TL@Menop2024#Bio"
salt = generate_random_salt()
hash = argon2id(password, salt, memory=19456, parallelism=1, time_cost=2)
store_in_database(user_id, hash, salt)
// User login
user_input = "TL@Menop2024#Bio"
stored_hash = retrieve_from_database(user_id)
if verify_hash(user_input, stored_hash) == true:
grant_access()
else:
deny_access()
Never Do This
- ✗ Store passwords in plain text
- ✗ Use weak hashing (MD5, SHA1 without salt)
- ✗ Log or display passwords in application logs
- ✗ Store passwords in version control (Git)
- ✗ Email passwords to users
Credential Management
Rule: Never Share Credentials
Credentials must never be: - Shared between team members - Hardcoded in source code - Stored in configuration files - Written in documentation - Sent via email or chat
Rule: Use AWS Secrets Manager
All credentials, API keys, database passwords, and secrets must be stored in AWS Secrets Manager.
Secrets Manager Best Practices
- Store secrets centrally — One source of truth for all credentials
- Enable rotation — Automatic password rotation for database credentials (every 30 days)
- Encrypt at rest — All secrets encrypted with KMS (AES-256)
- Audit access — CloudTrail logs all secret access
- Least privilege — Grant secret access only to services/users that need it
- No copy-paste — Retrieve secrets programmatically from Secrets Manager
Retrieving Secrets Programmatically
Python Example:
import boto3
import json
client = boto3.client('secretsmanager', region_name='us-east-1')
try:
secret_response = client.get_secret_value(
SecretId='menotime/rds/prod-password'
)
secret = json.loads(secret_response['SecretString'])
db_password = secret['password']
except Exception as e:
print(f"Error retrieving secret: {e}")
Node.js Example:
const AWS = require('aws-sdk');
const client = new AWS.SecretsManager({
region: 'us-east-1'
});
client.getSecretValue({ SecretId: 'menotime/rds/prod-password' }, (err, data) => {
if (err) {
console.log(`Error: ${err}`);
} else {
const secret = JSON.parse(data.SecretString);
const dbPassword = secret.password;
}
});
Bash Example:
#!/bin/bash
SECRET=$(aws secretsmanager get-secret-value \
--secret-id menotime/rds/prod-password \
--region us-east-1 \
--query SecretString \
--output text)
DB_PASSWORD=$(echo $SECRET | jq -r '.password')
Secrets Manager Structure
Store secrets in JSON format for multiple related credentials:
{
"username": "menotime_user",
"password": "TL@Secure$Pass2024",
"host": "menotime-prod.cluster-xxxx.us-east-1.rds.amazonaws.com",
"port": 5432,
"dbname": "menotime_prod",
"engine": "postgres"
}
Environment-Specific Credentials
MenoTime maintains three separate environments: DEV, STAGING, and PROD. Each environment has unique credentials.
Environment Separation
| Environment | Purpose | Data | Access |
|---|---|---|---|
| DEV | Development & testing | Test data only (no real patient data) | All developers |
| STAGING | Pre-production validation | De-identified production-like data | Dev team + QA |
| PROD | Production system | Real patient data (PHI) | Limited to ops/infra |
Credential Rotation Schedule
- DEV credentials: 60-day rotation
- STAGING credentials: 45-day rotation
- PROD credentials: 30-day rotation
Secrets Manager Naming Convention
menotime/[environment]/[service]/[credential-type]
Examples:
- menotime/dev/rds/password
- menotime/staging/rds/password
- menotime/prod/rds/password
- menotime/prod/ses/api-key
- menotime/prod/slack/webhook-url
Password Expiration and Reset
When Your Password Expires
- You will receive an email notification 7 days before expiration
- Log in to AWS IAM console or use AWS CLI to change your password
- Grace period: You can continue logging in for 1 day after expiration
- After grace period expires: Your account is locked until password is reset
Password Expiration CLI Command
If your password has expired, reset it using AWS CLI:
aws iam change-login-profile-password \
--user-name [your-username] \
--old-password [current-password] \
--new-password [new-password]
Requesting a Password Reset
If you forget your password:
- Contact AWS Account Administrator
- Do not attempt to access the password reset email — It will be sent to your registered email
- Click the reset link and create a new password
- Log in with new password
Compliance
Password Policy Auditing
- Monthly review: AWS Security Hub checks password policy compliance
- Quarterly audit: Manual verification that all IAM users have compliant passwords
- Annual assessment: Third-party security audit validates password practices
Non-Compliance Consequences
Users who do not comply with password policies will:
- First violation: Warning and mandatory password reset
- Second violation: Temporary account suspension (24 hours)
- Third violation: Escalation to management and potential disciplinary action
Questions? Contact the Security Officer at security@timelessbiotech.com.