How to create a company password policy

Meredith Kreisa headshot
Meredith Kreisa|March 8, 2022
How to create a company password policy
How to create a company password policy

Passwords are more than just the most effective way to keep coworkers with cooties out of your secret fort in the breakroom. They’re also the foundation of the authentication process, confirming a user’s identity and preventing unwanted access to critical data. Crafting a strong password security policy can help ensure credentials are strong and don’t fall into the wrong hands.

According to Verizon’s 2021 Data Breach Investigations Report, 89% of web application hacking involved credential abuse: stolen credentials or brute force attacks. Once threat actors are in your environment, they can steal data, launch a ransomware attack, or just listen to your Spotify playlist of Kenny G’s greatest hits. Implementing an effective policy to promote password hygiene best practices can help protect your environment and make a cybercriminal’s job much more difficult. We’ll break down what you should know to fortify your business’s password rules. 

What is good password hygiene?

Password hygiene is a foundational and essential security measure to protect your environment and deter intruders. It encompasses best practices for password strength. If a password is hard to guess, it’s less likely that a brute force password spraying attack will succeed. 

Remember: Passwords act as the first line of defense, controlling access to your systems and the valuable information they hold. Maintaining strong defenses is imperative to enhancing your security posture. 

What should be included in a password policy?

A password security policy should establish clear guidelines requiring users to create strong passwords. It should include several applicable standards. 

Password history

Reusing an old password may seem convenient and easy to remember. However, it presents a security risk. If that password was compromised, threat actors have easy access to your systems. For that reason, many companies do not allow employees to reuse their last one or two passwords. However, Microsoft suggests disallowing the last 24 passwords. 

Password age

Maximum password age is a controversial topic. Some feel that using the same password over an extended period increases the risk of compromise. If a threat actor already has your password, they may continually access information without you even realizing it. Even if your password is still secure, continuing to use it for months or years on end gives cybercriminals ample time to test different combinations until they figure it out. To prevent this, many password policies include a maximum password age. Microsoft suggests a limit of 30 to 90 days, depending on the level of security you feel is appropriate for your organization. 

On the other hand, the National Institute of Standards and Technology (NIST) no longer recommends requiring regular password changes since users often select similar alternatives that are just as easy to crack. 

Minimum password age requirements are less common but may be more important. These guidelines dictate how long a password must be in use before a user can change it. Essentially, it helps prevent an employee from changing their password in rapid succession to bypass password history requirements and return to their original password. Microsoft recommends a minimum age of one day. 

Password length

Company policies often require that passwords be at least eight characters long. However, longer is better. Because of this, many companies encourage passphrases. These strings of words are much longer than traditional passwords, making them difficult to crack. However, they’re also typically easier for users to remember since they use actual words. 

Password complexity

The more complex the password, the harder it is to guess. For instance, if a password contains just numbers, a brute force attack can hack it instantly, even if it’s 10 characters long. In comparison, a 10-character-long password with uppercase letters, lowercase letters, numbers, and symbols takes an estimated five years to crack. 

Therefore, complexity guidelines typically require that each password include: 

  • An uppercase letter

  • A lowercase letter

  • A number

  • A symbol

That said, NIST no longer recommends complexity guidelines since users often rely on predictable patterns or reuse passwords across platforms. 

Account lockout

Account lockout policies specify how many failed login attempts a user can make before their account automatically locks. Microsoft suggests 10 as a starting point, though you might lower this based on your risk tolerance. Your policy should also establish how long the lockout continues. Microsoft recommends around 15 minutes. 

What are the strongest password policy rules?

Developing the strongest password policy for your business requires balancing your security objectives with the practical needs of your employees. There is no one-size-fits-all password policy that’s ideal for all businesses, and there are innumerable rules that may benefit some organizations. The NIST provides helpful guidelines to steer your policies. Here are a few key rules to consider: 

  • Use passwords that are at least eight characters long: The longer, the better! Each additional character dramatically decreases the risk that a brute force attack could crack your password. 

  • Encourage a passphrase: Passphrases balance convenience and security. The added length makes them harder to hack, but using familiar words makes them easier to remember. 

  • Do not enable hints: Hints may seem like a helpful way to allow users to retrieve lost passwords. However, with personal information widely available through social media and social engineering, allowing hints may actually give threat actors inroads into your systems. 

  • Use multi-factor authentication: In almost all instances, multi-factor authentication is beneficial as an additional layer of protection. 

How can you protect your company's passwords?

Maintain and update your password policy

Providing a documented password policy gives employees a resource to refer to whenever it’s time to change their passwords. However, don’t expect the document to be static. The security landscape is constantly evolving, so be prepared to update your policy as necessary. 

Provide password training

Getting a password policy on the books is undoubtedly valuable. But providing your employees with relevant security awareness training further enhances the benefits. Not only can it reinforce the guidelines, but it can also clarify why a strong password is so important. Informed employees may be more likely to comply with your requirements. 

Require password changes after a potential compromise

If you have any reason to believe your systems or accounts may have been compromised, require password changes for all affected employees. Otherwise, threat actors may have continued user account access. 

Invest in password management software

Password management software enables your team to use longer, more complicated passwords without needing to remember them all. Additionally, a password manager can generate a unique password, preventing employees from leaning on familiar patterns. 

Consider password policy enforcement software

Even the strongest password policy is worthless without enforcement. Without the right solution, trying to get employees to comply is like herding cats. Thankfully, password policy enforcement software lets you configure and automatically enforce policies without the need to glare threateningly at each employee. 

Implement multi-factor authentication

Multi-factor authentication adds an extra layer of security. Rather than granting access with just a username and password, users must also use an additional verification method, such as a fingerprint scan or a one-time password (OTP) from an email, text, or app. This makes the password just one component of authentication instead of the primary determiner. 

Set a lockout after failed attempts

Hackers may try to guess your passwords through trial and error, credential stuffing, or brute force attacks. Incorporating a lockout period after a set number of failed attempts can help thwart these efforts. 

Let users see what they’re typing

A user may select a short, weak password for one simple reason: it’s easier to type. When you can’t see what you’re typing, it’s that much harder to use a long, complex password. In many cases, users need to try several times before getting it right. Letting them see what they’re typing can remove that hurdle and save them time. 

While a strong password policy is crucial, there’s much more involved in cultivating a secure environment. You also need to maintain accurate information on your machines and implement updates and patches. PDQ Inventory and PDQ Deploy are the one-two punch of awesomeness you’ve been looking for to streamline deployment and improve your efficiency. And once you have more time on your hands from automating routine tasks, you can hit up PDQ’s blog and videos for more insights into IT.


Meredith Kreisa headshot
Meredith Kreisa

Part writer, part sysadmin fangirl, Meredith gets her kicks diving into the depths of IT lore. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.

Related Articles