This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
This document outlines information security password standards intended to protect GitLab information systems and other resources containing confidential (Red and Orange) GitLab data from unauthorized use, where technically feasible.
Applies to all GitLab team members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing confidential data.
|GitLab Team Members||Responsible for adhering to the requirements outlined in this standard|
|Security||Responsible for defining and monitoring implementation of these standards for critical applications|
|Security Management (Code Owners)||Responsible for approving significant changes and exceptions to these standards|
Constructing secure passwords and ensuring proper password management is essential. GitLab's password standards are based, in part, on the recommendations by NIST 800-63B. To learn what makes a password truly secure, read this article or watch this conference presentation on password strength.
To make a secure password you can remember, consider using a combination of 5 or more random words. Security questions like "What is your favorite color? What is your mother's maiden name?", etc should be answered with a random non-obvious word or set of words. You can generate answers in 1Password and store them as a note. That way the answer won't be guessable and will be unique across different sites.
For systems where a password can be configured the minimum password length needs to be set to 12 characters.
All GitLab team members are required to use Two Factor Authentication (2FA) whenever possible. Usage of 2FA by GitLab team members is required for access to the production environment. It should be noted that references to MFA (Multi-Factor Authentication) are often included in language associated with third party products and certain compliance references, but the general concept is still covered by the term "2FA". There are different 2FA methods that can be used by GitLab team members. These are ranked by security strength:
For a better understanding of how 2FA fits into GitLab, refer to the Accounts and Passwords section, which includes pointers to setting up passwords, acquiring FIDO2 tokens, and links to further resources. Refer to the Tools and Tips page for more detailed information regarding FIDO2/WebAuthn and other 2FA methods.
Exceptions to this standard will be tracked as per the Information Security Policy Exception Management Process.