Why You Need to Implement Password Policy Best Practices

password policy best practices you should know

Strong passwords are the first line of defense in protecting your business data and customer information. But many companies have weak or non-existent password policies, putting them at a heightened risk for data hacking.

Cyber attacks are becoming more common every day. The number of significant breaches at US businesses, government agencies and other organizations topped 3,813 in 2019, exposing over 4.1 billion records. Reported breaches increased by 54% compared to mid-year 2018.

Every employee has a role to play in protecting their company’s sensitive data – and that means abiding by a stringent password policy. Here are our top password policy best practices and tools you can implement today.


While most business owners would agree that data security is a top priority, many don’t take the time to implement the measures that would have the most significant impact in ensuring security.

Lax password security is a major problem in many businesses. Individuals often use the same password for their personal and business accounts, or choose a password that’s easy to crack Ironically, one of the most effective ways to prevent data theft and cyber attacks is one of the simplest: creating and maintaining strong passwords.

Don’t think you’re in danger of a breach? Even low-risk points of access can have a massive impact on your business if it falls into the wrong hands. For example, your entire customer database could be deleted or shared on the internet. Hackers could place false orders to steal inventory or your customers’ credit card numbers. 

An effective password policy is a set of rules that govern password creation and prevent sensitive data from being stolen. Be clear on which systems the policies apply to and document how the plan will be practiced and enforced.


Here are twelve password policy best practices to follow:

1. Enforce Password History 

Do not use the same password for every site, application and service. If one site is compromised, it could affect the rest of your business. Maintaining a history of at least ten previous passwords discourages users from password repetition.

2. Set Maximum Password Age 

Users should change passwords periodically to help ensure network security. Require password changes every 30, 60 or 90 days depending upon your security needs. 

3. Set Minimum Password Age 

Setting a minimum password age prevents users from entering a new password and then immediately changing it back to their old one. Consider setting the minimum password age to three to seven days. 

4. Limit Login Time 

Systems should not allow users to remain logged in indefinitely or have “remember me” features. Implement timed logouts and require passwords at the start of each new session.

5. Send Email Notifications

Sending email notifications before password expiration notifies users when it’s time to change their passwords.

6. Set Complexity Requirements 

For maximum security: 

  • Use unique, randomly generated passwords. Passwords should be nonsensical combinations of letters (upper and lowercase), numbers and symbols. One simple rule: if you can find your password in the dictionary, don’t use it.
  • Be impersonal. Passwords should not contain any elements of the user’s name, phone number, birth date or other easily obtained information. If a user is the target of a spear phishing attempt, hackers may have information that they can use to uncover passwords. 
  • Avoid repetitive or sequential characters like 111111 or abcd1234.
  • Eight is great. Longer passwords are more difficult to break. Enforce a password length of at least eight characters. 

Note to administrators: system defaults on passwords are often set to zero, which means users can bypass passwords altogether. Check to make sure you set minimum password lengths.

7. Create a Passphrase

A passphrase can contain symbols, numbers, sentences and punctuation to create longer, more complex safeguards. Consider allowing a 64 character length to accommodate passphrases.

8. Implement Multi-Factor Authentication

Authentication is a process that verifies a user’s identity before granting access. There are several common ways a user can prove their identity: 

  • Something you know:  information only the user knows, like a password or answer to a “secret” question
  • Something you have:  an item the user possesses, like a card or a one-time password token (OPT token)
  • Something you are: biometric user data, like a fingerprint, retina scan, or voice recognition
  • Somewhere you are: uses a smartphone’s GPS to determine a user’s identity by location

Two-factor authentication, or 2FA, utilizes two of these factors to verify the user’s identity. 

Multi-factor authentication, or MFA, involves two or three of these factors. 

Four-factor identification, or 4FA, is a newer form of authentication using all four factors for higher security requirements. 

9. Prohibit Login Sharing 

Do your employees or associates share their login credentials? Even in small organizations, logging into another user’s account creates serious security concerns. Requiring that each person use their unique login — and only their unique login — helps track issues and alleviates chaos.

10.  Use a Password Generator 

It’s challenging to create very strong passwords containing letters, numbers and characters on the fly. Password generators create unique, randomly generated passwords easily.

11. Use an Encrypted Database to Manage Passwords

Many people use the same passwords for every site and account, which increases your hacking risk. If users log into several systems, require using separate passwords for each one. 

Since complex passwords are almost impossible to remember, using a password manager is highly recommended. Make sure your systems allow paste functionality so that users can use password managers successfully.

12. Reset Administrator Passwords Periodically

Your local administrator password should be reset every 180 days for optimal security. Service account passwords should be reset at least once a year during maintenance.


There are three kinds of tools you can use to create, store and test your passwords: password generators, password managers and password strength testers.

Password Generators

The following password generators allow your users to create strong passwords easily. Each will enable you to determine your desired password length and character options and features a convenient copy button.

Password Managers

Password managers can assist you in generating and retrieving complex passwords by storing them in encrypted databases.

Here’s some top password managers currently available:

  • 1Password: A password manager with business and personal products (and our favorite). The business version allows you to manage user roles, and you get usage reports to see how employees use their passwords at work.
  • RoboForm: Allows you to store and manage passwords easily, and save new passwords as you browse. Log into any website with one click and securely share login information with other RoboForm users. 
  • Zoho Vault: Teams use this browser extension to store, share and manage passwords and other sensitive data securely. Zoho Vault allows you to log in to websites directly without manually entering login credentials, and instantly remove users once they quit. It also tracks actions and enables you to see a complete record of password access.
  • LastPass: This browser extension allows you to create a master password for securing all other passwords. You can save login info, import sites from email and more.
  • Sticky Password: Provides auto-fill capabilities, application support, multi-device sync and identity storage. It’s designed to store all passwords into one centralized and encrypted database.
  • Password Boss: Stores every password, provides automatic website login and offers protection from security breaches by creating unique, strong passwords for every site.

Password Strength Testers

Do you have a password you want to use but are unsure of its strength? Password strength testers enable you to determine whether your password sufficiently passes the guidelines listed above.

How Secure is My Password

The Password Meter

Have I Been Pwned


Hackers look for any opportunity to steal sensitive information. It’s vital to put password policies in place to protect your business and your employees from cyber attacks.

Your password policy should be a standalone document laying out its purpose, scope, roles and responsibilities. If you need help creating or enforcing an effective password policy, Helixstorm can help. Helixstorm is a managed service provider that can solve your immediate headaches while building your technology future.

Have more questions on password management or security? Contact us today.