How to Implement a Password Policy That Works

Content Writer

A staggering 20% of corporate passwords are the company name or a minor variation of it. That's the analog security equivalent of leaving your office door unlocked at night.

Though this information might be news to you, it's not to cybercriminals. Weak and reused passwords are a reliable gateway to businesses' sensitive data. Depending on the type of cyberattack, up to 80% of successful data breaches can be attributed to weak or stolen credentials.

You might consider implementing a password policy to encourage your team to use stronger passwords. But how can you create a policy that works, and what should you include? Today, we're talking about best practices for password policies.

What is a password policy?

A password policy informs your team about how to make decisions around creating and managing passwords.

A password policy aims to improve cybersecurity by preventing cyberattacks that rely on weak and reused passwords. That usually means establishing conventions around passwords that make them difficult to hack.

Password policies can also refer to rules and guidelines around setting passwords internally. This gives businesses administrative control over which password criteria an internally developed system can accept.

Because these policies can be enforced automatically by software, the advice below focuses on external-facing password policies. In other words, it will offer advice for establishing the guidelines employees should follow when creating passwords for external accounts or software for corporate use, such as Outlook, Google Workspace, or Zoom.

Why do you need a password policy?

To understand the need for a password policy, let's consider the alternative — looking at the default behaviors around password management in a corporate setting.

Weak passwords are the (unfortunate) standard

Without guidance, users reliably choose weak passwords.

Weak passwords can be easily guessed or hacked with minimal effort. “Password,” for instance, is as weak as they come. And yet our research reveals that this is the most common password in 2022. This password has been used millions of times around the world.

If you suspect that internet users adopt more secure behavior when creating corporate credentials, a study of breached Fortune 500 companies has shown this is not so.

Predictable passwords such as “123456” topped the list of most common passwords, with others like “abc123” and “sunshine” making their way to the top 10 by industry. As mentioned, the company's name is also a common choice.

Overall, the percentage of unique passwords was only 31% for all industries – to say nothing of the unique passwords' strength.

A different study of management, owners, and C-suite executives' credentials demonstrated that even leadership team members are no better at using strong, secure passwords.

Suffice it to say: People use weak passwords at work.

Weak passwords represent a massive cyber vulnerability

Weak passwords, like those mentioned above, can be hacked in less than one second. So it's no surprise that according to Verizon's most recent Data Breach Investigation Report, credentials are involved in nearly 50% of all breaches — more than twice as often as phishing attacks.

To make matters worse, using weak passwords is often combined with poor password hygiene. The most common password hygiene sins are storing passwords in insecure locations and reusing the same passwords for multiple accounts.

Passwords stored on sticky notes on your desktop or in Excel spreadsheets are two particularly egregious examples of improper password storage. A password written in plain sight is all too convenient for an intruder in your workspace.

On your virtual desktop, a list of passwords is low-hanging fruit to cybercriminals who have secretly gained access to your device.

As you can tell, poor password hygiene can defeat even the strongest, longest password. That's why a good password policy must address both.

Password policies and cybersecurity compliance

That password authentication is so standard, yet often, such a weak security barrier is a widespread and well-known issue known a the “password problem.” For that reason, all cybersecurity standards either directly or indirectly offer guidance on passwords.

CIS Password Policy Guide

The Center for Internet Security (CIS) is a non-profit organization with a mission to safeguard organizations against cyber threats. It publishes recommendations that, if followed, will improve businesses' cybersecurity posture.

The CIS Password Policy Guide offers two tiers of password recommendations: one when passwords are the only authentication method and another when passwords are just one of multiple authentication methods.

Password-only authentication
Multi-factor authentication
14+ characters
8+ characters
Require at least one non-alphabetic character
No requirement
Change frequency: only when an event occurs, such as staff turnover or a data breach.

The logic is that passwords should be stronger when passwords are the only measure between a cybercriminal and your accounts.

The HIPAA Security Rule

The HIPAA Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establishes a standard for protecting electronic protected health information (ePHI).

The Security Rule states that healthcare organizations should follow basic information security principles. In other words, the “confidentiality, integrity, and availability of all e-PHI” should be upheld for all protected health data created, stored, or shared by the organization.

Upholding these tenets involves protection against anticipated threats or breaches. While the Security Rule does not define specific password protocols, proper password policies and hygiene are implicit in many requirements — under administrative and technical safeguards.

In principle, the Security Rule can be met by following the agreed-upon best practices for cybersecurity and information security which, inevitably, involve a strong password policy.

The PCI-DSS password guidelines

The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard that applies to all entities that process, store, or transmit personal and payment information. It consists of 12 requirements. Like HIPAA's Security Rule and the CIS Controls, it mirrors the best cybersecurity practices that mitigate cyber risk and safeguard data.

Requirement two of the Standard stipulates that businesses should change all default system passwords. Not doing so, the document states, is the equivalent of “leaving your store unlocked when you go home for the night.”

Requirement eight is to “identify and authenticate access.” Strong passwords and multi-factor authentication are encouraged as essential measures to protect cardholder data.

The NIST Password Policy

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that has become a significant authority on password guidelines. The NIST password policy provides several recommendations for creating secure passwords and managing them safely. Unlike traditional advice, NIST focuses on user-friendly policies while maintaining strong security.

For instance, NIST recommends allowing longer passwords (up to 64 characters), supporting a diverse character set (including spaces and emojis), and eliminating periodic password changes unless there is evidence of compromise.

In essence, NIST encourages the creation of unique, easy-to-remember phrases instead of complex, hard-to-recall alphanumeric combinations. Their guidelines further emphasize the need for multi-factor authentication (MFA) as an additional security layer and discouraging the practice of password hinting and knowledge-based authentication questions (like your first pet's name) which can be easily exploited.

NIST's comprehensive approach to password security underscores its commitment to balancing user experience with robust data protection. This is why its standards are widely adopted across industries globally.

ISO/IEC 27001

The International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC 27001) is a voluntary certification on information security, cybersecurity, and privacy protection.

Annex A is among the best-known annexes of the ISO standard. It includes recommendations that strengthen data security. More specifically, section A.9 pertains to access control, where you'll find guidelines for password management.

To protect the confidentiality of sensitive data, the ISO guidelines recommend “strong passwords” and a “password management system” in addition to multi-factor authentication.

Password policy recommendations

All well-known cybersecurity standards recommend using strong passwords and good password management or hygiene. But what exactly does that mean?

Strong passwords

Strong passwords make a hacker's job difficult. They are complex, long, and difficult to guess. The following guidelines can help to create passwords that meet these criteria.

SHOULD include
SHOULD NOT include
At least 20 characters
A variety of alphanumeric characters
Multiple letter cases
Random character combinations
Dictionary words
The most common passwords
Personal or company information

Keep in mind your password policy should be calibrated by standard password criteria. Otherwise, you'll end up with a policy that's impossible to follow. For example, cybersecurity experts say the strongest passwords should allow spaces. However, it's common for spaces to be prohibited.

Tip: Use a password generator to get super strong passwords instantly without testing your creativity.

Good password hygiene

Good password hygiene also aims to keep your passwords out of intruders' reach — making it difficult or impossible to steal them and mitigating the damage if they are.

SHOULD involve
SHOULD NOT involve
Using unique passwords for each account
Changing passwords regularly or after a breach or staff turnover
Secure, end-to-end encrypted storage
Storing passwords in plain text
Repeating passwords
Sharing passwords over instant messaging or email
Keeping any default-issued passwords
Writing passwords down where they can be accessed

Use a data breach scanner to determine whether your credentials have been compromised. If so, change them immediately.

Why password policies (alone) are doomed to fail

There's a reason it is so common to use weak passwords and practice poor password hygiene. And it's not a lack of awareness. By now, few among us can claim not to know that passwords like “password” and “123456” represent a security threat.

The truth is that the average user is in a tough spot. You know that you should use strong passwords, especially at work. But the same features that make passwords “good” also make them impossible to remember.

And if you can't remember them, you have to store them somewhere handy. But unfortunately, this “handy spot” often becomes equally convenient for cybercriminals.

That's why it isn't reasonable to expect that penning a policy is all it takes to bolster your business' password health. Your team members are likely already aware of basic security principles but lack the tools to apply them. On top of everything else, they are likely to prioritize speed over security to get work done.

The Active Directory Password Policy

Active Directory (AD) is a Microsoft product that manages users and computers within a network. The Active Directory Password Policy is a set of rules defined by system administrators to govern password creation and maintenance in an organization.

The password policy generally includes directives such as minimum password length, password complexity requirements (including uppercase, lowercase, numeric, or non-alphanumeric characters), and password history settings to prevent users from reusing old passwords.

The policy also sets a password's maximum age, forcing users to create new passwords after a defined period. Other considerations might include account lockout policies that disable a user account after a certain number of failed login attempts.

AD provides two types of password policies: the default domain policy and fine-grained password policies. The latter allows different policies for different user groups within the same domain, providing flexibility for different security requirements.

How to set up a password policy that works

With NordPass Business, you can set a password policy at the administrative level that you can implement automatically — offering your team all the support it needs to maintain excellent password hygiene without slowing down the workflow.

In the NordPass Business Admin Panel, you set the criteria for strong passwords that the Password Generator follows.

With just one click, users can generate strong passwords with the built-in Password Generator and save them just as quickly. When needed, the passwords pop up automatically into form fields thanks to autofill powered by machine learning.

That means you can unburden your team from the mental load of trying to create and remember complex passwords. And from a storage standpoint, your team's passwords stay safe in an ultra-secure, end-to-end encrypted vault. All in all, credentials are easy to access for your team but entirely out of reach to intruders.

Members can conveniently and securely share multiple passwords and other sensitive data stored in their vaults with various members at once using the Groups and Shared Folders features.

Meanwhile, you can monitor your team's password progress with a bird's-eye view of your company's Password Health metrics, with a rundown of all vulnerable (weak or reused) passwords that can compromise your cybersecurity.

Avoid choosing between security and convenience. Instead, implement a password policy that works with NordPass Business.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.