<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

5 Password Policy Best Practices You Can Implement

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Passwords are one of the most common targets for hackers, so it’s imperative that your company enforce a strong password policy. This policy will not only define the requirements of the password itself but the procedure your organization will use to select and securely manage passwords.

5 Password Policy Best Practices

1. Use a password manager

One of the biggest complaints your users may voice about your password requirements is “I’ll never remember a password like that!”  The good news is that by using a password manager, they won’t have to. A password manager - also sometimes called a password vault - is a convenient way to store passwords securely without having to commit them to memory.  The basic idea is you only have to remember a single password - which in turn opens up access to the rest of your passwords. Popular tools in this space include 1Password, LastPass, and Dashlane.  

Many of these tools will plug right into your users’ Web browsers, so next time a user signs up for an online service, the password manager will offer up an extremely secure password such as B6KcwU}9wP7JKfunE8vpG2fYyaB, which will be saved automatically for future use.  This way, the user isn’t tempted to use one of the world’s worst passwords, such as passw0rd.

2. Password creation

Clearly define password complexity requirements - including uppercase letters, lowercase letters, and minimum password length. This is an area where organizations tend to get a bit carried away.  It’s natural to think that a longer password is better, so some system administrators increase password minimum length to 15 or 20 characters. According to the password guidance published by Microsoft, longer passwords are not always better.  Among the recommendations in the paper, Microsoft advises:

  • Passwords should contain a minimum of 8 characters
  • Use a unique password for each site
  • Use multifactor authentication (MFA) wherever possible

Conveniently, using a password manager allows users to easily create passwords that meet your organization’s requirements.  Most of these solutions also support MFA, so you can add another layer of security to your password protection as well.

3. Password protection

In addition to enforcing what password management tools your users should use, such as a password manager, your policy needs to outline the ways users should not store passwords as well.  In other words, getting users to configure a password manager is great, but if they store their master password on a sticky note tucked under a keyboard, that’s not great!

Consider the following guidance statements to include in your password policy:

  • Store passwords in the provided password management tool
  • Use a unique password for each online account/service
  • Passwords should be treated as confidential and not shared with anyone
  • Do not write passwords down on paper
  • If you suspect unauthorized access to your account or think your password may be compromised, change your password immediately

Additionally, make sure employees are only using password managers approved by the company.  To make the adoption of a password manager easier, most of these products will also integrate right into your Active Directory.  That way, you can easily share passwords and enable access control between various users and groups without having to configure a separate permissions structure.

4. Password rotation

Outside of being forced to pick new passwords, users generally loathe periodic password changes as well.  Many information security experts feel that regular password rotation actually encourages users to be less secure with their practices.  For example, if a user account password is Winter2018, the next time they’re forced to do a password change, they might pick Spring2018.  Or if users are currently forced to use 10-character passwords and the organization ups the minimum to 12, users with Password12 as their password will just use Password1234.  In other words, users tend to use the minimum amount of effort to meet the password requirements. Thus they are likely to pick weak passwords.  According to the Microsoft password guidance document referenced earlier, if strong and unique passwords are used, you should be able to eliminate the need for periodic user account password rotations.  Still, as a general practice, companies are rotating passwords every quarter or at least twice a year.

5. Other tools to consider

As you choose your password requirements and consider using tools like a password manager, you might also want to look into additional ways to streamline password use throughout your organization.  SSO (Single Sign-On) is a service that allows users to submit a username and password to a single portal and then be passed seamlessly to other services without having to re-authenticate. For example, you could set up SSO so that after logging into your directory system in the morning, users can check email, join Slack and manage timesheets without ever having to provide their credentials manually to any of those systems.  

As talked about earlier in this post, multi-factor authentication is a good complement to a strong password.  MFA is generally considered to be something you know (like your password) plus one of the following as an extra layer of protection:

Something you have

  • Text message
  • An app (such as Google Authenticator or Microsoft Authenticator)

Something you are

  • Retina scan
  • Fingerprint

Until someone creates a better solution, we will continue to use passwords to protect our most sensitive accounts and data.  A password policy, coupled with MFA, will help strengthen password requirements and make it much harder for attackers to breach our systems.  And because so much of our work life is online, not having a password policy in today’s age is simply negligent.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Beyond SASE: Strengthening Security with Dynamic Access Management
SASE or Dynamic Access Management? Here’s Why You Need Both
While SASE excels in providing broad network security coverage and solves broad issues for regular enterprise users, it is not equipped to address the specific requirements of privileged users who wield extensive administrator or superuser privileges. Dynamic Access Management (DAM) addresses the specific needs of privileged users by providing granular control over their access grants and sessions in real time.
Leveraging CSA Cloud Security Matrix (CMM) for Enhanced Cloud Security
Leveraging CSA CCM with StrongDM for Enhanced Cloud Security
The CSA CCM is a cybersecurity control framework specifically designed for cloud computing. It outlines a comprehensive set of best practices and security controls across 17 domains that are designed to ensure that cloud environments are secure and resilient against an ever expanding threat landscape. The CCM framework is structured to provide clarity and actionable guidance for the implementation of security measures in a prescriptive and adaptable way for recognized compliance standards and control frameworks.
How to Prevent Credential Stuffing [9 Best Practices]
How to Prevent Credential Stuffing [9 Best Practices]
In this article, we’ll explore the risks of credential stuffing attacks, common techniques used by attackers, signs that your accounts may be compromised, and credential stuffing prevention techniques you can use to reduce your risk.
What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
People come, and people go, and while digital identities should cease to exist after a departure, many times, this doesn’t happen. At any given time, organizations can have thousands of user identities to manage and track, so when processes aren’t automated, it’s easy for many identities to fall through the cracks. This phenomenon is called Identity Lifecycle Management, and when it comes to access and security, it’s worth the time to get it right.