From 821a9334d89a8fd6161b0071f3f4dc23407fc3a1 Mon Sep 17 00:00:00 2001
From: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 14:19:08 -0700
Subject: [PATCH] password policy: suggest edits

---
 password/index.md | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/password/index.md b/password/index.md
index 5d25602..fe77543 100644
--- a/password/index.md
+++ b/password/index.md
@@ -16,7 +16,9 @@ This policy applies to passwords for any application or server accessed by Tails
 
 Passwords must be unique for each use.
 
-Default passwords on all systems are changed after installation. 
+Passwords must be randomly generated.
+
+Default passwords on all systems are changed after installation. Initial passwords generated for new users must be changed after login.
 
 Passwords do not need to be regularly rotated. However, if a password is known or thought to be compromised, it must be rotated to a new password.
 
@@ -32,12 +34,16 @@ Acceptable forms of multi-factor authentication include authentication apps or a
 
 ### Password manager
 
-Where SSO is not used, and where possible, passwords should be randomly-generated and stored in a password manager.
+Where SSO is not used, and where possible, passwords should be stored in a password manager.
 
 ### Encryption at rest
 
 Passwords should be stored encrypted at rest.
 
+### Logging
+
+Passwords should not be logged.
+
 ### Requirements for specific use cases
 
 #### Servers
@@ -46,14 +52,14 @@ Access to servers, for both production as well as development and testing infras
 
 #### Automated processes
 
-Automated processes, including deployment or CI/CD tools, should use passwords or API keys to access and communicate with other systems. These should be encrypted at rest.
+Automated processes, including deployment or CI/CD tools, should use passwords or API keys to access and communicate with other systems. Passwords used in scripts must be encrypted at rest.
 
 #### End user devices
 
-End user devices must use passwords to encrypt their disks and unlock the device. These must be unique for each individual but may be reused across an individual’s devices.
+End user devices must use passwords to encrypt their disks and unlock the device. These must be unique for each individual but may be reused across an individual’s devices. These do not need to be randomly generated.
 
 #### SaaS applications or other software
 
-Access to third party applications must use SSO where possible, MFA where possible, and enforce MFA where possible. Each application must have a randomly-generated password stored in a password manager.
+Access to third party applications must use SSO where possible, MFA where possible, and enforce MFA where possible.
 
-An individual’s password for their password management vault must be unique.
\ No newline at end of file
+An individual’s password for their password management vault must be unique. These do not need to be randomly generated.
\ No newline at end of file