User and device authentication to information systems is protected by passwords that meet GitLab's password policy guidelines. For systems involved in payment card processing, GitLab requires those systems and system users to change passwords quarterly.
By ensuring passwords are implemented when and where appropriate, sensitive and valuable data is protected from unauthorized access and use. Enforcing GitLab's password complexity requirements further protects that data by reducing the risk of brute force and dictionary attacks that aim to guess user passwords.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Password Authentication control issue.
Examples of evidence an auditor might request to satisfy this control: