How to Create a Strong Password Policy

Home / Policy / How to Create a Strong Password Policy

Image by geralt at Pixabay

Passwords are by far the most common form of authentication used with computing devices. They are simple and easy, which makes them a favourite for many companies even today. However, they have also been proven to be one of the most easily bypassed authentication methods. A 2018 Verizon report found 81% of all data breaches are due to poor passwords. Simple passwords like “1234”, “Password123”, “abc123” and so on can be guessed by attackers in a matter of hours. What makes it worse is 60% of users reuse the same passwords for everything, so a breach of one password means all of their accounts are compromised. One example of this was dropbox in 2012, where an employee reused a personal password at work and it ended up in a data breach of over 68 million user credentials. Something so simple can have huge consequences for a business, fortunately the solution to this can also be quite simple. By creating a policy that mandates the use of strong passwords, you can eliminate a lot of the risk related to employees using weak passwords. Here are the key password elements you want to enforce.

Password Complexity

  • Length: A password should be at least 8 characters long and no longer than 16 characters. This ensures that it’s not too easy to brute force but not too long that users will consistently forget it and have to get them reset.

  • Use multiple characters: A password should have at least one uppercase letter, lowercase letter, number and special character such as “!@#$%^&*”. This increases the amount of time it takes someone to guess the password using software.

  • Should not contain repeated characters: Such as aaa, bbb or ccc. This goes against the principle that you want to have a diverse set of characters.

  • Should not contain numbers in sequence: This means that sequences like 1234 should not be allowed in your passwords

  • Should not contain whole words: A common password is “Password123*”, containing full words makes it too simple for an attacker.

Password Cycling & Password History

Employees should be required to rotate their passwords after a certain amount of time. The longer a single password is used the more likely it is that it will be leaked, by rotating passwords you reduce this risk significantly. Passwords should be changed at least once per year, preferably every 6 months. You don’t want to have people changing passwords too much because it will be hard for people to remember what password they used, people get frustrated and it will be a big burden for your administrators. 

Best practice is that once a password has been used it shouldn’t be reused in the corporation environment. A good password policy means keeping track of previously used passwords and making sure once that password is cycled out, it can’t be reused by the same user. This helps to prevent people from sticking to the same passwords, which lowers the overall risk of the password being leaked. 

Password Managers

Password managers are software applications that securely store all your passwords in one place. Many times people store passwords in plain sight on sticky notes, in a notepad or in other places where a nosey or devious person can easily access it. Password managers prevent this from happening and also eliminate the need of users remembering multiple passwords because they only need to remember the password that unlocks the password manager. 

Employee Education

Employees should be educated on what the password requirements are and what is expected of them when it comes to protecting their passwords. It should also be reiterated to employees that they should not share their passwords within anyone, including management. 

Use Two-Factor Authentication

Two factor authentication uses an additional piece of information, along with the users password to confirm the user’s identity. The most common method is to have employees install a specialized app on their phone that gives them a code that changes every minute or so. The user must enter that code in addition to their password to login. This way even if their password is compromised, it can’t be used to login without the temporary code.


Strong passwords are one of your first lines of defense to your network. It doesn’t matter how much protection you put on your network if someone can easily guess the key that unlocks it all. It’s important that passwords are sufficiently complex, rotated regularly and stored in a secure place. Other than that, educate your employees on how to create and protect their passwords and if possible combine traditional passwords with two-factor authentication to make sure your employee credentials are protected.