What is a Password Policy and How to Create One?

password policy

Compromised passwords are a leading reason for data breaches. In fact, more than 80% of hacking-related breaches are caused by password-related issues. A strong password policy can help ensure everyone in your business uses strong passwords.

So what is a password policy? How can you create a standard password policy? And what are password policy best practices? Let’s find out below.

What Is a Password Policy?

A password policy is a set of guidelines to make everyone in a company create a strong password and use them properly to enhance computer security and online security.

A standard password policy includes what users need to consider and what they should avoid when creating, changing, storing, or sharing passwords.

For example, your password policy can dictate that users must create longer passwords, including a certain number of special characters.

Depending on your organization’s needs, you can make your password policy advisory or mandatory.

password policy

Why are Password Policies Important?

A password policy can help you enforce the practice of using strong, unique passwords in your business to enhance password security.

Here are key reasons why implementing a strong password security policy is critical for your business:

  • Password reuse is a security blunder. A password policy can quickly rule out password reuse practice
  • A strong password policy with a clause of multi-factor authentication helps you minimize various security risks to a great extent
  • Everyone in your company will start creating complex passwords and storing them safely. As a result, your passwords will be safe from brute force attacks and other password-related attacks
  • A strong password policy signals to your customers and vendors that you are taking strict measures to safeguard passwords. This can help build trust with them

Last but not least, a password policy cultivates a cybersecurity culture that is of utmost importance in today’s world, as small businesses are increasingly becoming the target of various types of cybersecurity attacks.

password policy

How to Create a Standard Password Policy

The following is a step-by-step process to create a strong password policy:

1. Set Password Complexity Requirements

System administrators or IT departments should set password complexity guidelines to ensure strong password creation.

Here are essential password requirements to include in your password policy to help users avoid creating weak passwords:

  • Passwords should be at least ten characters long (Longer is better)
  • Users must include uppercase letters, lowercase letters, and special characters in passwords
  • Including misspelled words is a good tactic for creating complex passwords
  • Consider not just the inclusion of various character types but also the avoidance of common substitutions (e.g., “Pa$$w0rd!” should still be considered weak).
  • Encourage the use of passphrase-based passwords, which are longer and can be easier to remember, such as a line from a favorite song or book, with modifications to incorporate complexity.

Brute force attacks and dictionary attacks can crack simple passwords. So your password policy must have complexity requirements to encourage users to create hacker-proof passwords.

2. Create a Password Deny List

In addition to having what users should do, your password policy should also state things users must avoid when creating passwords.

A password deny list can include the following:

  • Person-related information such as name, date of birth, place of birth, job title, etc.
  • Telephone numbers, house numbers, or street number
  • Name of spouse, children, or loved ones
  • Reusing the same password on multiple accounts
  • Regularly update the deny list with passwords exposed in recent breaches, utilizing resources like “Have I Been Pwned” to stay current.
  • Include commonly used passwords by attackers in automated login attempts, even if they’re not personal information but often guessed passwords like “admin” or “password1”.

As a thumb rule, your password policy’s deny list should include any type of personal information or a simple pattern (like QWERTY to 123456).

3. Set a Password Expiration Period

The main idea behind setting a password expiration period is that hackers won’t know whether the passwords they found in an old data breach will work.

For example, your password is disclosed in a two-month-old data breach incident. And you change your password every month. Hackers will not be able to gain access to your account using that leaked password.

Ideally, the password expiration period should be set to three months. But you can adjust this period, depending on the need of your business. Also, you should ensure that your employees don’t reuse the same passwords for other accounts.

  • Balance security with user convenience by considering the use of longer expiration periods for systems with additional security measures (e.g., accounts protected by multi-factor authentication might have longer expiration periods).
  • Implement user-friendly notifications and guides for password changes to encourage compliance without causing frustration.

password policy

4. Enforce Multi-factor Authentication

Multi-factor authentication (MFA) can increase the security of accounts in your business. This is because hackers won’t be able to gain access to accounts even if they get hold of logins and passwords for those accounts.

Therefore, your password policy must make it mandatory for users to implement MFA for all accounts that allow this feature.

  • Provide training and resources to ensure users understand the importance of MFA and know how to use it effectively.
  • Offer options for MFA methods (e.g., mobile app-based, SMS codes, hardware tokens) to accommodate different user needs and preferences.

5. Include Account Lockout Threshold

The account lockout threshold enables user accounts to get locked after a certain number of failed login attempts. This feature protects your accounts from Brute Force attacks and dictionary attacks.

Ideally, you can set the account lockout threshold to five failed login attempts. This includes implementing an account lockout period of 15 minutes.

  • Implement a progressive increase in lockout duration for repeated lockout triggers to deter attackers while minimizing inconvenience for legitimate users.
  • Offer a secure, user-friendly process for account recovery to reduce the workload on IT support and minimize user downtime.

6. Have Guidelines on How to Store Passwords

Do you know that 55 percent of employees save passwords in sticky notes? How your employees store passwords impact password security.

Storing passwords in email, note app on a phone, paper notes, and documents on a computer is a bad practice. And doing so weakens the security of passwords, even if the passwords are long and complex.

Therefore, your password security policy must include clear guidelines for storing passwords securely. And one way to do it is to use a password manager, which keeps your password encrypted and stored securely behind the master password.

Though most browsers these days have a feature to store passwords, using a password manager to store passwords is a more secure option. A password manager also offers secure ways to share passwords among different users.

  • Recommend and, if possible, provide access to enterprise-grade password managers for secure password storage and sharing.
  • Educate users on the risks associated with insecure password storage methods and the benefits of using a password manager.

7. Set Consequences for Policy Violators

You have created a password security policy to secure computers and online accounts. So everyone should follow it religiously. Setting some consequences for those who frequently violate the policy can be a good idea to encourage all users to abide by the password policy,

However, you should devise creative ways to make password policy violators feel they have made mistakes. Any harsh punishment can turn them into an inside threat.

Provide policy violators with more awareness training sessions, and encourage them to follow the password policy. But if someone repeatedly makes mistakes despite many warnings, letting them go can be the best option, as they’re risking your business.

  • Develop a tiered response to policy violations that includes education and retraining for first-time violations and escalates for repeated non-compliance.
  • Incorporate a feedback mechanism for employees to report difficulties in adhering to the policy, allowing for adjustments and accommodations.

8. Update Your Password Policy Regularly

Your password policy should not be something set in stone. Instead, you should review your password policy from time to time and check if it is successful:

  • Ensuring that users create long, complex passwords
  • Preventing users from creating new passwords that are easy-to-hack
  • Encouraging users to change passwords frequently, as recommended in the policy
  • Preventing users from using the same password for multiple accounts
  • Schedule regular reviews of the password policy in response to emerging threats and advancements in password security practices.
  • Involve users in the review process to gain insights into practical challenges and perceptions, ensuring the policy remains both effective and user-friendly.

Tweaking your password policy in line with the observations made in regular password audits helps you create a robust password policy to enhance password security in your business.

password policy

Password Policy Best Practices

The following are the best practices to maximize the success of your password policy:

1. Have an Easy-to-access Password Policy

A comprehensive password policy is essential, but its effectiveness lies in its accessibility and user-friendliness.

Users should find the guidelines easy to understand and follow, with clear delineations between critical sections like those for generating passwords and safely storing them.

By offering both a printed guide and a digital version, you cater to individual preferences and needs, ensuring everyone, regardless of their tech-savviness, can refer to the policy at any given time.

2. Adopt a Password Management System

In today’s interconnected digital world, an individual is often juggling multiple accounts, leading to potential password fatigue. The challenge of creating and remembering unique passwords for every account can be daunting.

By integrating a robust password management system into your organization’s digital infrastructure, employees can bypass this challenge.

These systems not only auto-generate strong passwords but store them securely, reducing the chances of breaches. Making the adoption of such systems mandatory significantly boosts an organization’s cybersecurity posture.

password policy

3. Forbid Insecure Password Sharing

Password sharing, while convenient for collaborative projects, can become a significant security loophole if not managed correctly.

Often, employees might resort to insecure sharing methods, such as sending passwords through easily intercepted channels like emails or text messages.

Encouraging secure sharing methods is crucial. Many top-tier password managers come with features allowing encrypted password sharing, ensuring that team members can share access without compromising on security.

4. Implement Login Time Restrictions

Unrestricted access to organizational systems is akin to leaving the front door unlocked. Employees should be conditioned to log in only when they’re actively using certain accounts or systems and to promptly log out afterwards.

This minimizes the window of opportunity for unauthorized access, especially in scenarios where a workstation might be left unattended. A stringent password policy will reinforce the importance of this practice, highlighting the risks of prolonged, unnecessary logins.

5. Do Regular Password Audits

Simply having a password policy isn’t enough; its real-world effectiveness needs to be gauged regularly. Through systematic password audits, an organization can assess employee adherence levels and the policy’s overall efficiency.

These audits serve a dual purpose: they help pinpoint potential vulnerabilities, and they offer insights into areas where the policy might need revisions or updates. This proactive approach ensures that the organization’s cybersecurity measures evolve in tandem with emerging threats.

Password Policy Do’s and Don’ts

Create passwords with at least ten charactersUse personal information like name, DOB, job title
Include uppercase, lowercase letters, & special charactersUse easily guessed patterns like QWERTY or 123456
Use misspelled words for complexityReuse the same password on multiple accounts
Set a password expiration periodStore passwords in emails, note apps, or sticky notes
Enforce Multi-factor Authentication (MFA)Share passwords via text, email, or instant messages
Use a password manager for secure storageKeep systems logged in when not in use
Update your password policy regularlyIgnore password policy guidelines

password policy

What Are the NIST Password Guidelines?

The National Institute of Standards and Technology (NIST) guidelines have evolved over the years to reflect a more user-centric approach. Among their recommendations, users should create passwords that are a minimum of eight characters in length.

Instead of forcing users to incorporate complicated symbols and characters, NIST emphasizes password length over arbitrary complexity. They advise against mandatory periodic password changes unless there’s evidence of a breach.

NIST also suggests allowing the ‘show password’ option to help users avoid mistakes when entering their password. Moreover, they highly recommend implementing two-factor or multi-factor authentication to add an extra layer of security.

Are Complex Passwords As Important as Minimum Password Length?

While complexity in passwords (such as including symbols, numbers, and both uppercase and lowercase letters) certainly helps against brute-force attacks, recent trends in cybersecurity suggest that length is a more critical factor.

A longer password naturally increases the total number of potential combinations, making it exponentially harder to crack. However, an undue emphasis on complexity often results in users resorting to predictable patterns or writing passwords down.

If feasible, users should be encouraged to use longer passphrases that are easy to remember but hard for automated systems to guess. When using a password manager, which takes the burden of memory off the user, combining both length and complexity is ideal.

How Often Should Passwords Be Changed?

Conventional wisdom once dictated that regular password changes (e.g., every 60 or 90 days) were essential. However, NIST’s revised guidelines suggest avoiding routine password changes unless there’s a specific reason, like a suspected security breach.

Changing passwords too often might lead to weaker passwords, as users might opt for minor, predictable variations of their previous passwords or even recycle them across platforms.

Nonetheless, it’s crucial to be proactive. Using password managers with breach notification capabilities can alert users if their passwords are compromised, prompting timely changes.

Should Small Businesses Use a Password Manager?

Absolutely. Even for small businesses, cybersecurity should never be an afterthought. Password managers offer numerous benefits, from generating strong, unique passwords for each account to safely storing them in encrypted vaults.

Furthermore, they facilitate secure password sharing, which is especially useful in collaborative environments. By centralizing password management, businesses can maintain tighter control over access to sensitive information, thereby mitigating risks.

What Is the Ideal Password Policy?

The ultimate password policy should strike a balance between user convenience and robust security. It would emphasize the creation of long, unique passwords or passphrases, ideally without forcing arbitrary complexity rules.

Secure storage practices, either through encrypted databases or trusted password managers, are vital. Encouraging the use of different passwords for each account can prevent a breach on one platform from jeopardizing others.

Regular monitoring for breaches and compromised passwords, paired with an understanding of when (and when not) to change passwords, can round out a comprehensive, effective policy.


Image: Envato Elements

More in:

Sandeep Babu Sandeep Babu is a cybersecurity writer. He writes about malware, data security, privacy, and other cybersecurity topics for SBT and other reputed platforms.