Password & Authentication Policy

1. Purpose

To establish requirements for strong authentication across Backpack Works systems.

2. Requirements

• Passwords must be unique per system and at least 12 characters.
• All personnel use a company-approved password manager (1Password) to generate and store credentials.
• Multi-factor authentication is required wherever supported, and always for email, source control, cloud consoles, and any system with client data.
• Default credentials must be changed before a system is used.
• Credentials must never be hard-coded in source code or shared over chat or email.

3. Compromised credentials

Suspected credential compromise must be reported to security@backpack.works immediately and the affected credentials rotated.

4. Review

This policy is reviewed at least annually.