Version: 1.0
Effective Date: 3rd March 2026
Review Cycle: Annual (or after significant security changes)
Purpose
To provide clear password creation requirements for all staff, contractors, and third parties who access H&H Group systems. Following these rules helps safeguard company data and accounts from unauthorised access.
Scope
- Applies to all user accounts on H&H Group company systems.
- Includes staff, contractors, and any external users with access.
- Covers passwords for web, mobile, SaaS, infrastructure, admin panels, and developer accounts.
Password Requirements
When creating or updating a password in our systems, you must comply with the following rules:
1. Length
- Passwords must be at least 8 characters.
- Passwords must be no longer than 64 characters.
2. Whitespace
- Passwords cannot start or end with spaces.
3. Composition
- Passwords must not consist only of letters (e.g. “abcdefg” is NOT allowed).
- Passwords must not consist only of numbers (e.g. “12345678” is NOT allowed).
- Passwords must contain at least one of each of the following:
- Uppercase letter (A–Z)
- Lowercase letter (a–z)
- Number (0–9)
- Symbol: one or more of these: ! @ # $ % ^ & * = – _
4. Common Passwords
- Passwords must not be extremely common (‘password’, ‘123456’, ‘qwerty’).
- Our systems automatically check for these; you will be required to choose a different password if yours is detected as unsafe.
5. Personal Information
- Passwords must not include your username.
- Passwords must not include the part of your email address before the “@”.
Additional Recommendations
- Do not reuse passwords across different services.
- Use a password manager to create and store strong, unique passwords such as Google Password Manager or NordPass.
- Never share your passwords with anyone. The company will never request your password by email or chat.
- Change your password promptly if you suspect it has been seen or compromised.
Enforcement
- Passwords that do not meet policy requirements will be rejected by our systems.
- If an account is found with a password that does not comply with this or any future version of the policy, you will be required to update your password before gaining access to H&H Group systems.
Approved by: Jamie Machon
Position: Digital Team Leader
Approval Date: 8th October 2025
Summary Table (for reference):
| Requirement | Allowed? |
| Length 8–64 | Yes |
| Spaces at start/end | No |
| Only letters (A–Z, a–z) | No |
| Only numbers (0–9) | No |
| Must include upper, lower, number, symbol | Yes (all required) |
| Allowed symbols | ! @ # $ % ^ & * = – _ |
| Common password | No |
| Contains username/email (before “@” part) | No |