Database Passwords Policy

Version: 1.00Issue Date: 1/20/2015

This Database Passwords Policy specifies database account storage requirements and how they may be accessed.

1.0 Overview

This Database Passwords Policy will help ensure that data stored in databases is kept secure by setting policies of configuration and use to prevent theft or abuse of database authentication account information.

2.0 Purpose

This Database Passwords Policy is intended to ensure security of accounts used to access databases in order to protect the security of the data stored in them.

3.0 Scope

This Database Passwords Policy applies to all databases used by the organization or maintained for the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Database Password - A password used to access a database.
  • Hash - A mathematical operation on a number or value intended as a one way function so the hash value is unique but the original value cannot be recreated.

The differences between confidential, sensitive, and private are negligable and somewhat obscure, so the use of more than one of these terms to describe a data class would not be very effective.

5.0 Database Account Storage Requirements

  • Files containing account user names and passwords in clear text or reversible encryption form which are used to access databases may not be readable by anyone meaning they may not be world readable.
  • Account usernames and passwords used to access databases are required to be stored in a separate file not included with program code. The file that contains the account access credentials cannot contain other program code other than the code that is used to access the account access credentials.
  • All passwords, account names, and pass phrases must comply with the Password Policy.
  • Account usernames and passwords used to access databases may not be kept in the documents tree of a web server.
  • The file that contains the database account user names and passwords must not be in the same directory where the executing code is stored.
  • Remote user authentication on a host must not provide access to the database without additional authentication.
  • A hash number that is used for identifying whether a database login was accurate may be stored in a file with program code. This should only be done when required since changing the credentials would require the program code file to change which is not good practice.
  • An authentication server may be used to authenticate to a database. The authentication server may be used by a program to access a database to authenticate to the database.

6.0 Database Account Retrieval Requirements

  • When the database user names and passwords are read by the source code and used to authenticate to the database, the memory that is used to store the credentials must be released or cleared as soon as the authentication process is complete.

7.0 Database Account Requirements

  • A process must be in place and used by developer groups to be sure the accounts used for database access are compliant with the Password Policy including minimum complexity rules and how often the password is changed. Only those who need to know should have access to the database account information.
  • Each program must have its own unique account name for accessing any database. Multiple programs or users may not share the same accounts.

8.0 Other Applicable Policies

  • Password Policy

9.0 Enforcement

Since proper configuration and use of database passwords is key in protecting data stored by the organization and preventing damage, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.


Approved by:__________________________ Signature:_____________________ Date:_______________