What is a Password Policy and How to Create One?

    Compromised passwords are a leading reason for data breaches. In fact, more than 80{5c94e41db43f1643af886a760ed785f3e6f3e4efec1ac57b512d948d7f011ae0} of hacking-related breaches are caused by password-related issues. A strong password policy can help ensure everyone in your business uses strong passwords.

    So what is a password policy? How can you create a standard password policy? And what are password policy best practices? Let’s find out below.

    What Is a Password Policy?

    A password policy is a set of guidelines to make everyone in a company create a strong password and use them properly to enhance computer security and online security.

    A standard password policy includes what users need to consider and what they should avoid when creating, changing, storing, or sharing passwords.

    For example, your password policy can dictate that users must create longer passwords, including a certain number of special characters.

    Depending on your organization’s needs, you can make your password policy advisory or mandatory.

    Why are Password Policies Important?

    A password policy can help you enforce the practice of using strong, unique passwords in your business to enhance password security.

    Here are key reasons why implementing a strong password security policy is critical for your business:

    Password reuse is a security blunder. A password policy can quickly rule out password reuse practice
    A strong password policy with a clause of multi-factor authentication helps you minimize various security risks to a great extent
    Everyone in your company will start creating complex passwords and storing them safely. As a result, your passwords will be safe from brute force attacks and other password-related attacks
    A strong password policy signals to your customers and vendors that you are taking strict measures to safeguard passwords. This can help build trust with them

    Last but not least, a password policy cultivates a cybersecurity culture that is of utmost importance in today’s world, as small businesses are increasingly becoming the target of various types of cybersecurity attacks.

    How to Create a Standard Password Policy

    The following is a step-by-step process to create a strong password policy:

    1. Set Password Complexity Requirements

    System administrators or IT departments should set password complexity guidelines to ensure strong password creation.

    Here are essential password requirements to include in your password policy to help users avoid creating weak passwords:

    Passwords should be at least ten characters long (Longer is better)
    Users must include uppercase letters, lowercase letters, and special characters in passwords
    Including misspelled words is a good tactic for creating complex passwords

    Brute force attacks and dictionary attacks can crack simple passwords. So your password policy must have complexity requirements to encourage users to create hacker-proof passwords.

    2. Create a Password Deny List

    In addition to having what users should do, your password policy should also state things users must avoid when creating passwords.

    A password deny list can include the following:

    Person-related information such as name, date of birth, place of birth, job title, etc.
    Telephone numbers, house numbers, or street number
    Name of spouse, children, or loved ones
    Reusing the same password on multiple accounts

    As a thumb rule, your password policy’s deny list should include any type of personal information or a simple pattern (like QWERTY to 123456).

    3. Set a Password Expiration Period

    The main idea behind setting a password expiration period is that hackers won’t know whether the passwords they found in an old data breach will work.

    For example, your password is disclosed in a two-month-old data breach incident. And you change your password every month. Hackers will not be able to gain access to your account using that leaked password.

    Ideally, the password expiration period should be set to three months. But you can adjust this period, depending on the need of your business. Also, you should ensure that your employees don’t reuse the same passwords for other accounts.

    4. Enforce Multi-factor Authentication

    Multi-factor authentication (MFA) can increase the security of accounts in your business. This is because hackers won’t be able to gain access to accounts even if they get hold of logins and passwords for those accounts.

    Therefore, your password policy must make it mandatory for users to implement MFA for all accounts that allow this feature.

    5. Include Account Lockout Threshold

    The account lockout threshold enables user accounts to get locked after a certain number of failed login attempts. This feature protects your accounts from Brute Force attacks and dictionary attacks.

    Ideally, you can set the account lockout threshold to five failed login attempts. This includes implementing an account lockout period of 15 minutes.

    6. Have Guidelines on How to Store Passwords

    Do you know that 55 percent of employees save passwords in sticky notes? How your employees store passwords impact password security.

    Storing passwords in email, note app on a phone, paper notes, and documents on a computer is a bad practice. And doing so weakens the security of passwords, even if the passwords are long and complex.

    Therefore, your password security policy must include clear guidelines for storing passwords securely. And one way to do it is to use a password manager, which keeps your password encrypted and stored securely behind the master password.

    Though most browsers these days have a feature to store passwords, using a password manager to store passwords is a more secure option. A password manager also offers secure ways to share passwords among different users.

    7. Set Consequences for Policy Violators

    You have created a password security policy to secure computers and online accounts. So everyone should follow it religiously. Setting some consequences for those who frequently violate the policy can be a good idea to encourage all users to abide by the password policy,

    However, you should devise creative ways to make password policy violators feel they have made mistakes. Any harsh punishment can turn them into an inside threat.

    Provide policy violators with more awareness training sessions, and encourage them to follow the password policy. But if someone repeatedly makes mistakes despite many warnings, letting them go can be the best option, as they’re risking your business.

    8. Update Your Password Policy Regularly

    Your password policy should not be something set in stone. Instead, you should review your password policy from time to time and check if it is successful:

    Ensuring that users create long, complex passwords
    Preventing users from creating new passwords that are easy-to-hack
    Encouraging users to change passwords frequently, as recommended in the policy
    Preventing users from using the same password for multiple accounts

    Tweaking your password policy in line with the observations made in regular password audits helps you create a robust password policy to enhance password security in your business.

    Password Policy Best Practices

    The following are the best practices to maximize the success of your password policy:

    1. Have an Easy-to-access Password Policy

    The policy guidebook should be organized so that users can easily navigate through different sections like password creation and password storage.

    Prepare both a hard copy and a soft copy of your password policy to ensure users can access it the way they want.

    2. Adopt a Password Management System

    Including the mandatory use of a password manager in your policy can strengthen password security to a great extent. How?

    Employees need to create multiple passwords these days. And creating a unique password for each account can be a problem for many users. A password manager can create a hard-t0-crack password instantly and save multiple passwords securely.

    3. Forbid Insecure Password Sharing

    Sharing passwords among users is a common practice in today’s business environment when multiple employees work on a single project.

    To improve password security, you should ensure that none shares passwords via text messages, emails, or instant messages.  Secure password sharing is a must to improve password security. All reputed password managers allow users to share passwords securely.

    4. Implement Login Time

    Employees should only log in to accounts and systems when using them. Keeping accounts and systems logged in when none is using them is a lousy cybersecurity practice. And password policy should strictly prohibit this practice.

    5. Do Regular Password Audits

    Establish password audits as a regular practice to check the effectiveness of your password policy. This will help you figure out areas of improvement in your password policy to maximize its success.

    What Are the NIST Password Guidelines?

    The essential NIST guidelines for passwords include but are not limited to creating at least eight characters long passwords, emphasizing length more than complexity, turning on ‘show password’ settings, implementing two-factor or multi-factor authentication, and avoiding frequent password changes.

    Are Complex Passwords As Important as Minimum Password Length?

    Complexity and password length are both necessary to create hard-to-hack passwords. But choosing more complex passwords over more long passwords makes it difficult for users to remember passwords. Maximizing length and complexity are recommended if a company employs a password manager app.

    How Often Should Passwords Be Changed?

    Most cybersecurity experts recommend that passwords should be changed every three months. All good password managers often have a feature that tells if the saved passwords are found in any data breach incident. You should immediately change a password if it is exposed to any data breach.

    Should Small Businesses Use a Password Manager?

    Yes, small businesses should use a password manager. A password manager app can help your employees create complex passwords, store passwords securely, and share passwords safely. The use of a password manager offers reliable password protection.

    What Is the Ideal Password Policy?

    The ideal password policy lays stress on creating hard-to-crack passwords, storing passwords securely, and using different passwords for different accounts. It also emphasizes changing old passwords frequently.


    Sharing Business WiFi Passwords Doesn’t Have to Be Hard, Use QR Codes Like This

    Image: Envato Elements

    This article, “What is a Password Policy and How to Create One?” was first published on Small Business Trends