Security / SEC-003
Security Standard

SEC-003 — Password Lifecycle

Defines password generation, reuse prohibition, event-driven rotation, and post-rotation validation.

Document: SEC-003Type: StandardStatus: ApprovedOwner: Engineering OperationsVersion: 4.2.0Updated: 2026-07-17

Password Requirements

  • Use a unique generated password for every platform.
  • Never reuse a personal password for company services.
  • Prefer passkeys where supported and operationally recoverable.
  • Store credentials only in the approved password manager.

Rotation Policy

Cloudberrie does not rotate strong passwords on an arbitrary short schedule. Rotate immediately when:

  • A credential may have been exposed.
  • An authorized person leaves or loses responsibility.
  • A vendor reports a breach or suspicious activity.
  • The password was reused, weak, shared insecurely or saved in an unapproved location.
  • Platform access logs show unexplained activity.

After Rotation

  1. Update Apple Passwords.
  2. Revoke existing sessions and obsolete API tokens where supported.
  3. Retest MFA and recovery access.
  4. Record the reason and date in the protected entry.
  5. Update affected deployment secrets without placing them in source control.