Password Policy

Version: 1.1  |  Effective Date: 3rd March 2026  |  Review Cycle: Annual (or after significant security changes)

Purpose

To provide clear password creation requirements for all staff, contractors, and third parties who access H&H Group systems. Following these rules helps safeguard company data and accounts from unauthorised access.

Scope

  • Applies to all user accounts on H&H Group company systems.
  • Covers passwords for bespoke websites, native applications, infrastructure, and admin panels developed by the H&H digital department.
  • Includes staff, contractors, and any external users with access.

Password Requirements

  1. Length
    • Passwords must be at least 8 characters.
    • Passwords must be no longer than 64 characters.
  2. Whitespace
    • Passwords cannot start or end with spaces.
  3. Composition
    • Passwords must not consist only of letters (abcdefg is not allowed).
    • Passwords must not consist only of numbers (12345678 is not allowed).
    • Passwords must contain at least one of each:
      • Uppercase letter (A–Z)
      • Lowercase letter (a–z)
      • Number (0–9)
      • Symbol: ! @ # $ % ^ & * = - _
  4. Common and Breached Passwords
    • Passwords must not be extremely common (e.g. password, 123456, qwerty) or found in breach lists.
    • Our systems automatically check for these; you will be required to choose a different password if yours is detected as unsafe.
  5. Personal Information
    • Passwords must not include your username.
    • Passwords must not include the part of your email address before the “@”.

Additional Recommendations

  • Do not reuse passwords across different services.
  • Use a password manager to create and store strong, unique passwords, such as Google Password Manager or NordPass.
  • Never share your passwords with anyone. The company will never request your password by email or chat.
  • Change your password promptly if you suspect it has been seen or compromised.

Enforcement

  • Passwords that do not meet policy requirements will be rejected by our systems.
  • If an account is found with a password that does not comply with this or any future version of the policy, you will be required to update your password before gaining access to H&H Group systems.

Approved by: Jamie Machon
Position: Digital Team Leader
Approval Date: 7th April 2026

Summary Table (for reference)

Requirement Allowed?
Length 8–64 Yes
Spaces at start/end No
Only letters (A–Z, a–z) No
Only numbers (0–9) No
Must include upper, lower, number, symbol Yes (all required)
Allowed symbols ! @ # $ % ^ & * = - _
Common/breached password No
Contains username/email (before “@” part) No