Guide to Password Policies for Businesses (updated for 2025)
- shaun9968
- May 1
- 4 min read
Why Strong Password Policies Matter
Passwords remain a critical security barrier between your business and unauthorized access to your systems and data. Weak or poorly managed user passwords can lead to data breaches, financial loss, reputational damage, compliance violations and legal repercussions. The list goes on... In today’s threat landscape which is riddled with phishing, brute-force attacks, and credential stuffing, having a robust password policy is non-negotiable.
This guide is provided as a starting point towards authentication security but is by no means exhaustive and further reading is highly recommended.
Core Elements of a Strong Password Policy
1. Minimum Password Requirements
12 characters! …and…encourage passphrases…
Example:
A combination of unrelated words (e.g., “OceanBananaGuitar42”) is stronger and more memorable than “P@ssw0rd!”
One of the previous examples has just 9 characters. Modern standards no longer emphasize “complexity” (use of special characters). Instead, you should focus on a minimum length of at least 12 characters.
· let users include special characters, numbers, etc., if they wish but don’t make it mandatory.
· A caveat to the above; yes, you will find that organisations that you sign up with online will insist on alphanumerical/special characters. That is normally a customer interface and can often be constrained by the e-commerce package utilised. As a business owner with a responsibility for the integrity of your business data and systems, we are mostly talking about employee logins here.
2. Password Management
Single sign on (SSO) + Identity Federation is useful to reduce the number of passwords a user needs to manage.
SSO is not always possible or even wise (if the attacker guesses right, they have access to a range of systems). Also, encourage or provide enterprise-grade password managers (e.g., 1Password, Bitwarden, Dashlane). They…
· help users store and generate strong passwords
· simplify sharing of credentials securely within teams
· reduce reliance on memory or risky workarounds (e.g., sticky notes)
3. Block Common and Compromised Passwords
Integrate a real-time check against known breached credentials:
Use services like the “Have I Been Pwned”, API or the Azure AD banned passwords list.
4. Multi-Factor Authentication (MFA)
A previous blog advised about SIM swapping. To be on the safe side, use an authenticator app or app hardware tokens (e.g., YubiKey or FIDO2/WebAuthn) instead of a generated code via text.
MFA still requires a robust password. However, it is so effective that only a strong 8-character password is considered sufficient.
MFA is considered essential for:
· All user accounts accessing sensitive systems
· Admin accounts
· Remote access/VPN
· Cloud applications (SaaS, IaaS)
5. Password Expiry and Change Policies
NIST and other modern frameworks discourage frequent forced password changes unless:
A breach or suspected compromise has occurred
Instead:
· Do not force regular password changes
· Enforce password changes only after compromise
· Monitor for compromised credentials and alert users
6. Account Lockout and Throttling
Prevent brute-force attacks by implementing:
· Rate-limiting or progressive delays after failed attempts
· Account lockout after a defined number of failures (e.g., 5–10 attempts), with alerts
· CAPTCHA or challenge-response systems to prevent automation
7. Storage and Transmission
Passwords should never be stored or transmitted in plaintext:
· Hashing: Use strong hashing algorithms like bcrypt, scrypt, or Argon2
· Salting: Apply a unique salt to every password
· TLS encryption: Always encrypt password transmission over the network
8. Passwordless authentication
Passwords are starting to be called into question in the future of tech. Standards are now moving towards biometrics, magic links, or FIDO2 devices for a better user experience and security. Even Cyber Essentials now has a passwordless component.
9. User Education and Awareness
· Train employees to use passphrases and password managers
· Warn against reusing passwords across work and personal accounts
· Educate on phishing and social engineering tactics
10. Admin and Privileged Account Protections
Organisations should have separate accounts for admin tasks and daily use. This means administrators will have two accounts and should never use the administrative accounts for emailing or browsing the Internet (once an admin account is hacked, the system is at the attacker’s mercy!)
Finally, using longer passwords and one or more extra layer compared to user accounts is good practice:
· Just-In-Time access controls, reducing the risk window for privileged credentials
· mandatory MFA
· password vaulting and rotation (e.g., CyberArk, BeyondTrust)
11. Auditing, Monitoring, and Compliance
· Log and monitor password-related events (logins, changes, lockouts)
· Conduct regular access reviews and audits
· Ensure compliance with industry and government regulations regarding passwords (e.g., HIPAA, PCI-DSS, GDPR). These do change from time to time, for example in the UK, the NCSC has recently changed from advising 8 character minimum to 12 character minimum and MFA for all cloud accounts.
12. NCSC and Cyber Essentials
Cyber Essentials is a UK government-backed cybersecurity certification scheme managed by IASME Consortium, designed to help businesses protect themselves against the most common cyber threats. One of the five key technical controls focuses on User Access Control and covers many of the points highlighted in this article.
A sample Password Policy Statement for Employees
“All employees must use unique, strong passphrases of at least 12 characters. Passwords must not be reused across systems or shared. Multi-factor authentication is mandatory for sensitive systems. Password managers are provided to support secure password storage. Any suspected password compromise must be reported immediately.”
Conclusion
A modern password policy isn’t just about rules—it’s about enabling secure and usable authentication practices that evolve with threats. Combining strong policies with user education, monitoring, and tools like MFA and password managers can significantly reduce your risk of compromise. A lot of these suggestions are outlined in Cyber Essentials by IASME.
Adopting these best practices not only improves your business’s security posture but also helps you meet the requirements for Cyber Essentials and other certifications. Such certification can enhance customer trust, reduce cyber insurance premiums, and demonstrate commitment to cybersecurity.
Final note: the contents of this blog are but suggestions to provide an idea of the options available. It is important that each organisation researches the options available and chooses those best suited to their needs.
Further Reading
Cyber Essentials by IASME:
Single Sign on and Identity federation:
Password advice from NCSC:
“What are Magic Links?” article by Descope:
What is FIDO2 (Microsoft):
Tech Target article on Salting and Hashing:
Comments