How to Implement a Password Policy That Works

Content Writer

A staggering 20% of corporate passwords are the company name or a minor variation of it. That's the analog security equivalent of leaving your office door unlocked at night.

Though this might be news to you, it's not to cybercriminals. Weak and reused passwords are a reliable gateway to businesses' sensitive data. Depending on the type of cyberattack, up to 80% of successful data breaches can be attributed to weak or stolen credentials.

You might consider implementing a password policy to encourage your team to use stronger passwords. But how can you create a policy that works, and what should you include? Today, we're talking about best practices for password policies.

What is a password policy?

A policy is a set of guidelines established within an organization that sets out the modus operandi, or rules of operation, around a specific activity. Policies are supposed to ensure uniform behavior that helps achieve a collective goal.

Corporate policies can apply to how you act or dress at work. A password policy is no different. A password policy informs your team about how to make decisions around creating and managing passwords.

A password policy aims to improve cybersecurity by preventing cyberattacks that rely on weak and reused passwords. That usually means establishing conventions around passwords that make them difficult to hack.

Password policies can also refer to rules and guidelines around setting passwords internally – in case businesses have administrative control over which password criteria an internally developed system can accept.

Because these policies can be enforced automatically by the software, the focus of this article will be on external-facing password policies. In other words, it will offer advice for establishing the guidelines employees should follow when creating passwords for external accounts or software for corporate use, such as Outlook, Google Workspace, or Zoom.

Why do you need a password policy?

To understand the need for a password policy, let's consider the alternative — looking at the default behaviors around password management in a corporate setting.

Weak passwords are the (unfortunate) standard

Without guidance, users reliably choose weak passwords.

Weak passwords can be easily guessed or hacked with minimal effort. “Password,” for instance, is as weak as they come. And yet our research reveals that this is the most common password in 2022. This password has been used millions of times around the world.

If you suspect that internet users adopt more secure behavior when creating corporate credentials, a study of breached Fortune 500 companies has shown this is not so.

Predictable passwords such as “123456” topped the lists of most common passwords, with others like “abc123” and “sunshine” making their way to the top ten by industry. As mentioned, the company's name is also a common choice.

Overall, the percentage of unique passwords did not exceed 31% for any industry – to say nothing of the unique passwords' strength.

A different study of management, owners, and C-suite executives' credentials demonstrated that even leadership team members are no better at using strong, secure passwords.

Suffice it to say: people use weak passwords at work.

Weak passwords represent a massive cyber vulnerability

Weak passwords, like the ones mentioned above, can be hacked in less than one second. So it's no surprise that according to Verizon's most recent Data Breach Investigation Report, credentials are involved in nearly 50% of all breaches — more than twice as often as phishing attacks.

To make matters worse, using weak passwords is often combined with poor password hygiene. The most common password hygiene sins are storing passwords in unsecure locations and reusing the same passwords for multiple accounts.

Passwords stored on sticky notes on your desktop or in Excel spreadsheets are two particularly egregious examples of improper password storage. A password written in plain sight is all too convenient for an intruder in your workspace.

On your virtual desktop, a list of passwords is low-hanging fruit to cybercriminals who have secretly gained access to your device.

As you can tell, poor password hygiene can defeat even the strongest, longest password. That's why a good password policy must address both.

Password security for your business

Store, manage and share passwords.

30-day money-back guarantee

Password policies and cybersecurity compliance

That password authentication is so standard, yet often, such a weak security barrier is a widespread and well-known issue called the “password problem.” For that reason, all cybersecurity standards either directly or indirectly offer guidance on passwords.

CIS Password Policy Guide

The Center for Internet Security (CIS) is a non-profit organization with a mission to safeguard organizations against cyber threats. It publishes recommendations that, if followed, will improve businesses' cybersecurity posture.

The CIS Password Policy Guide offers two tiers of password recommendations: one when passwords are the only authentication method and another when passwords are just one of the multiple authentication methods.

Password-only authentication
Multi-factor authentication
14+ characters
8+ characters
Require at least one non-alphabetic character
No requirement
Change frequency: only when an event occurs, such as staff turnover or a data breach.

The logic is that passwords should be stronger when passwords are the only thing between a cybercriminal and your accounts.

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establishes a standard for protecting electronic protected health information (ePHI).

The Security Rule states that healthcare organizations should follow basic information security principles. In other words, the “confidentiality, integrity, and availability of all e-PHI” should be upheld for all protected health data created, stored, or shared by the organization.

Upholding these tenants involves protection against anticipated threats or breaches. While the Security Rule does not define specific password protocols, proper password policies and hygiene are implicit in many requirements — under administrative and technical safeguards.

In principle, the Security Rule can be met by following the agreed-upon best practices for cybersecurity and information security which, inevitably, involve a strong password policy.

PCI-DSS password guidelines

The Payment Card Industry Security Standard (PCI DSS) is a global security standard that applies to all entities that process, store, or transmit personal and payment information. It consists of twelve requirements. Like HIPAA's Security Rule and the CIS Controls, it mirrors the best cybersecurity practices that mitigate cyber risk and safeguard data.

Requirement two stipulates that businesses should change all default system passwords. Not doing so, the document states, is the equivalent of “leaving your store unlocked when you go home for the night.”

In requirement eight, “identify and authenticate access,” both strong passwords and multi-factor authentication are encouraged as essential measures to protect cardholder data.

ISO/IEC 27001

The International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC 27001) is a voluntary certification on information security, cybersecurity, and privacy protection.

Annex A is among the best-known annexes of the ISO standard. It includes recommendations that strengthen data security. More specifically, section A.9 pertains to access control, where you'll find guidelines for password management.

To protect the confidentiality of sensitive data, the ISO guidelines recommend “strong passwords” and a “password management system” in addition to multi-factor authentication.

Password policy recommendations

All well-known cybersecurity standards recommend using strong passwords and good password management or hygiene. But what exactly does that mean?

Strong passwords

Strong passwords make a hacker's job difficult. They are complex, long, and difficult to guess. The following guidelines can help to create passwords that meet these criteria.

SHOULD include
SHOULD NOT include
At least 20 characters
A variety of alphanumeric characters
Multiple letter cases
Random character combinations
Dictionary words
The most common passwords
Personal or company information

Keep in mind your password policy should be calibrated by standard password criteria. Otherwise, you'll end up with a policy that's impossible to follow. For example, cybersecurity experts say the strongest passwords should allow spaces. However, it's common for spaces to be prohibited.

Tip: Use a password generator to get super strong passwords instantly without testing your creativity.

Good password hygiene

Good password hygiene also aims to keep your passwords out of intruders' reach — making it difficult or impossible to steal them and mitigating the damage if they are.

SHOULD involve
SHOULD NOT involve
Using unique passwords for each account
Changing passwords regularly or after a breach or staff turnover
Secure, end-to-end encrypted storage
Storing passwords in plain text
Repeating passwords
Sharing passwords over instant messaging or email
Keeping any default-issued passwords
Writing passwords down where they can be accessed

Tip: Use a data breach scanner to determine whether your credentials have been compromised. If so, change them immediately.

Why password policies (alone) are doomed to fail

There's a reason it is so common to use weak passwords and practice poor password hygiene. And it's not a lack of awareness. By now, few among us can claim not to know that passwords like “password” and “123456” represent a security threat.

The truth is the average user is in a tough spot. You know that you should use strong passwords, especially at work. But the same features that make passwords “good” also make them impossible to remember.

And if you can't remember them, you have to store them somewhere handy. But, unfortunately, this “handy spot” often becomes equally convenient for cybercriminals.

That's why it isn't reasonable to expect that penning a policy is all it takes to bolster your business' password health. Your team members are likely already aware of basic security principles but lack the tools to apply them. On top of everything else, they are likely to prioritize speed over security to get work done.

How to set up a password policy that works

With NordPass Business, you can set a password policy at the administrative level that you can implement automatically — offering your team all the support it needs to maintain excellent password hygiene without slowing down workflow.

In the NordPass Business Admin Panel, you set the criteria for strong passwords that the Password Generator follows.

Members can generate strong passwords with the built-in Password Generator with one click and save them just as quickly. When needed, the passwords pop up automatically into form fields thanks to Autofill powered by machine learning.

That means you can unburden your team from the mental load of trying to create and remember complex passwords. And from a storage standpoint, your team's passwords stay safe in an ultra-secure, end-to-end encrypted vault. All in all, credentials are easy to access for your team but entirely out of reach to intruders.

Members can conveniently and securely share multiple passwords and other sensitive data stored in their vaults with various members at once using the Groups and Shared Folders features.

Meanwhile, you can monitor your team's password progress with a bird's-eye view of your company's Password Health metrics, with a rundown of all vulnerable (weak or reused) passwords that can compromise your cybersecurity.

Avoid choosing between security and convenience. Instead, implement a password policy that works with NordPass Business.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.