:format(avif))
:format(avif))
A staggering 20% of corporate passwords are the company name or a minor variation of it. That's the analog security equivalent of leaving your office door unlocked at night.
Contents:
- What is a password policy?
- Why do you need a password policy?
- Cybersecurity compliance and password policy: best practices
- The NIST Password Policy
- Password policy recommendations
- Why password policies (alone) are doomed to fail
- The Active Directory Password Policy
- How to set up a password policy that works
Though this information might be news to you, it's not to cybercriminals. Weak and reused passwords are a reliable gateway to businesses' sensitive data. Depending on the type of cyberattack, up to 80% of successful data breaches can be attributed to weak or stolen credentials.
You might consider implementing a password policy to encourage your team to use stronger passwords. But how can you create a policy that works, and what should you include? Today, we're talking about best practices for password policies.
What is a password policy?
First, let’s talk about password policies and how they work. A password policy is a set of rules that informs a team how to make decisions regarding password use and management. Such password policy requirements may vary slightly based on organizational needs, but they aim to improve cybersecurity by preventing cyberattacks that rely on weak and reused passwords.
Setting up a password policy typically means establishing conventions around passwords that make them difficult to hack. Password policies can also refer to rules and guidelines around setting passwords internally. This gives businesses administrative control over which password criteria an internally developed system can accept.
The criteria for a corporate password policy involve a recommended password length (starting at around 12 or 14 characters), the use of random mixed combinations of letters, numbers, and special characters, and the frequency of required password updates.
Organizations can use centralized password management systems to detect that all employees adhere to the password policy requirements and force them to update their credentials. Enforcing these policies automatically makes it easier to ensure all employees follow the guidelines when creating passwords for work-related external accounts or software, such as Outlook, Google Workspace, or Zoom.
Why do you need a password policy?
To understand the need for a password policy, let's consider the alternative—how people usually tend to treat password management in a corporate setting.
Weak passwords are the (unfortunate) standard
Without the guidance of a password security policy, employees easily fall into the habit of using weak passwords that can be breached with minimal effort. For instance, “password” is as weak as they come—and yet, it made the top 5 of the 2024 list of the 200 most common passwords in the world. Although it would take hackers barely a fraction of a second to crack, it’s still used by millions of accounts around the globe.
If you suspect that internet users adopt more secure behavior when creating corporate credentials, a study of breached Fortune 500 companies has shown this is far from the case.
Predictable passwords like “123456” were among the most common picks, with others like “abc123” and “sunshine” making their way to the top 10 by industry. As mentioned, the company's name is also a common choice. Overall, the percentage of unique passwords was only 31% for all industries—to say nothing of the unique passwords' strength.
Overall, the percentage of unique passwords was only 31% for all industries – to say nothing of the unique passwords' strength.
A different study of management, owners, and C-suite executives' credentials demonstrated that even leadership team members are no better at using strong, secure passwords. Needless to say, weak passwords—which should be avoided at all costs—are the norm in many work environments and across all employee levels.
Weak passwords represent a massive cyber vulnerability
As we’ve established, weak passwords can be hacked in less than a second. It’s unsurprising that Verizon's Data Breach Investigation Report has shown that credentials are involved in around 50% of all breaches—that’s more than twice as often as phishing attacks.
To make matters worse, using weak passwords is often combined with poor password hygiene. The most common password hygiene sins are storing passwords in insecure locations and reusing the same passwords for multiple accounts.
Passwords written on sticky notes, stored on your desktop, or shared in Excel spreadsheets are particularly egregious examples of improper password storage. A password written in plain sight is all too convenient for an intruder in your workspace. And for cybercriminals who have gained access to the company’s computer network, unencrypted lists of passwords stored in offline documents are easy prey.
As you can tell, poor password hygiene can defeat even the strongest, longest password—that's why a good password policy must address both.
Cybersecurity compliance and password policy: best practices
Although passwords are often the first line of defense in corporate cybersecurity infrastructure, the numbers show that employees don’t take it quite as seriously. One way to ensure that the company’s security isn’t compromised by breached credentials is to include and enforce a password policy in the cybersecurity infrastructure.
Establishing a password policy also helps organizations adhere to cybersecurity compliance regulations. Different password policy guides exist to help companies meet the required standards and keep employee and client data secure.
CIS Password Policy Guide
The Center for Internet Security (CIS) is a non-profit organization with a mission to safeguard organizations against cyber threats. It publishes recommendations that, if followed, will improve businesses' cybersecurity posture.
The CIS Password Policy Guide offers 2 tiers of password recommendations: one when passwords are the only authentication method, and another when passwords are just one of multiple authentication methods.
| Elements | Password-only authentication | Multi-factor authentication (MFA) |
|---|---|---|
| Length | 14+ characters | 8+ characters |
| Strength | Require at least 1 non-alphabetic character | No complexity requirement |
| Hygiene | Change frequency: when an event occurs, such as staff turnover or a data breach. Otherwise, change a password once a year. | Change frequency: when an event occurs, such as staff turnover or a data breach. Otherwise, change a password once a year. |
The logic is that passwords should be stronger when they are the only measure between a cybercriminal and your accounts.
The HIPAA Security Rule
The HIPAA Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establishes a standard for safeguarding electronic protected health information (ePHI).
The Security Rule states that healthcare organizations should follow basic information security principles. In other words, the “confidentiality, integrity, and availability of all e-PHI” should be upheld for all protected health data created, stored, or shared by the organization.
Upholding these tenets involves protection against anticipated threats or breaches. Although the Security Rule does not define specific password protocols, many requirements imply proper password policies and hygiene under administrative and technical safeguards.
In principle, the Security Rule can be met by following the agreed-upon best practices for cybersecurity and information security, which, inevitably, involve a strong password policy.
The PCI-DSS password guidelines
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard that applies to all entities that process, store, or transmit personal and payment information. Like HIPAA's Security Rule and the CIS Controls, it mirrors the best cybersecurity practices that mitigate cyber risk and safeguard data. The PCI DSS consists of 12 requirements, but we’ll focus on two that are closely related to password policies.
Requirement 2 of the Standard stipulates that businesses should change all default system passwords to new, stronger ones. Not doing so, the document states, is the equivalent of “leaving your store physically unlocked when you go home for the night.”
Requirement 8 is to “identify and authenticate access to system components.” Strong passwords and multi-factor authentication are encouraged as essential measures to protect cardholder data.
Increase your online security
Identify breaches before they harm your business
The NIST Password Policy
The National Institute of Standards and Technology (NIST) is a US federal agency that has become a significant authority on password guidelines. The NIST Password Policy provides several recommendations for creating secure passwords and managing them safely. Unlike traditional advice, NIST focuses on user-friendly policies while maintaining strong security.
For instance, NIST recommends allowing longer passwords (up to 64 characters), supporting a diverse character set (including spaces and emojis), and eliminating periodic password changes unless there is evidence of compromise.
In essence, NIST encourages the creation of unique, easy-to-remember phrases instead of complex, hard-to-recall alphanumeric combinations. Its guidelines further emphasize the need for multi-factor authentication as an additional layer of security and discourage the practice of password hinting and knowledge-based authentication questions (like the name of your first pet), which can be easily exploited.
NIST's comprehensive approach to password security underscores its commitment to balancing user experience with robust data protection. This is why its standards are widely adopted across industries globally.
ISO/IEC 27001
The International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC 27001) is a voluntary certification on information security, cybersecurity, and privacy protection.
Annex A is among the best-known annexes of the ISO standard. It includes recommendations that strengthen data security. More specifically, section A.9 pertains to access control, where you'll find guidelines for password management.
To protect the confidentiality of sensitive data, the ISO guidelines recommend “strong passwords” and a “password management system” in addition to multi-factor authentication.
Password policy recommendations
All well-known cybersecurity standards recommend using strong passwords and good password management or hygiene. But what exactly does that mean?
Strong passwords
Setting up a strong password policy helps make a hacker's job difficult. The following guidelines can help to create passwords that are complex, long, and difficult to guess.
| SHOULD include | SHOULD NOT include |
|---|---|
At least 8 characters, recommended more | Dictionary words |
A variety of alphanumeric characters | The most common passwords |
Symbols | Personal or company information |
Multiple letter cases | The same characters used twice in a row (e.g., 112233) |
Random character combinations |
Keep in mind your password policy should be calibrated by standard password criteria. Otherwise, you'll end up with a policy that's impossible to follow. For example, cybersecurity experts say the strongest passwords should allow the use of a space. However, it's common for spaces to be prohibited.
Tip: Use a password generator to get super strong passwords instantly without testing your creativity.
Good password hygiene
Good password hygiene also aims to keep your passwords out of intruders' reach, making them difficult to steal, and mitigating the damage in case they’re breached.
| SHOULD involve | SHOULD NOT involve |
|---|---|
Using unique passwords for each account | Storing passwords in plaintext |
Changing passwords regularly or after a breach or staff turnover | Repeating passwords |
Secure, end-to-end encrypted storage | Sharing passwords over instant messaging or email |
Keeping any default-issued passwords | |
Writing passwords down where they can be accessed |
Use a data breach scanner to determine whether your credentials have been compromised. If so, change them immediately.
Why password policies (alone) are doomed to fail
There's a reason it is so common to use weak passwords and practice poor password hygiene—and it's not a lack of awareness. By now, few among us can claim not to know that passwords like “password” and “123456” pose a security threat.
The truth is, the average user is in a tough spot. You know that you should use strong passwords, especially at work. But the same features that make passwords “good” also make them impossible to remember. If you can't remember them, you have to store them somewhere handy. Unfortunately, that “handy spot” often becomes equally convenient for cybercriminals.
That's why it isn't reasonable to expect that penning a policy is all it takes to bolster your business' password health. Your team members are likely already aware of basic security principles but lack the tools to apply them. On top of everything else, they are likely to prioritize speed over security to get work done.
The Active Directory Password Policy
Active Directory (AD) is a Microsoft product that manages users and computers within a network. The Active Directory Password Policy is a set of rules defined by system administrators to govern password creation and maintenance in an organization.
The password policy generally includes directives such as the minimum password length, password complexity requirements (including uppercase, lowercase, numeric, or non-alphanumeric characters), and password history settings to prevent users from reusing old passwords.
The policy also sets a password's maximum age, forcing users to create new passwords after a defined period. Other considerations might include account lockout policies that restrict a user account after a certain number of failed login attempts.
AD provides 2 types of password policies: the default domain policy and fine-grained password policies. The latter allows different policies for different user groups within the same domain, providing flexibility for different security requirements.
How to set up a password policy that works
With NordPass Business, you can set a corporate password policy at the administrative level that you can implement automatically, offering your team all the support it needs to maintain excellent password hygiene without slowing down the workflow.
Using the built-in Password Generator, users can generate strong passwords and save them just as quickly. When needed, the passwords pop up automatically into form fields thanks to autofill powered by machine learning.
That means you can unburden your team from the mental load of trying to create and remember complex passwords. And from a storage standpoint, your team's passwords stay safe in an ultra-secure, end-to-end encrypted vault. With NordPass, all credentials are easy for your team to access but entirely out of reach to intruders.
Members can conveniently and securely share multiple passwords and other sensitive data stored in their vaults with others using the Groups and Shared Folders features. They can set a time limit for how long these shared credentials can be accessed and choose the access level to allow others to autofill, view, or edit passwords.
Meanwhile, you can monitor your team's password progress with a bird's-eye view of your company's Password Health metrics, with a rundown of all vulnerable (weak or reused) passwords that can compromise your cybersecurity.
You don’t have to choose between security and convenience. Simply implement a password policy that works with NordPass Business instead.