10 Best Practices: Corporate Password Policy

The issue of employee passwords is often a challenging one for businesses around the world but can’t be ignored.

According to a report from Verizon, around 81% of hacking breaches experienced by companies are caused by weak or stolen passwords.

Maintaining password policy best practices in your company is essential to help mitigate the risks.

Table of contents

The importance of password security in the workplace

What is a corporate password policy?

10 password policy best practices to implement in your organization

How to communicate your corporate password policy

The importance of password security in the workplace

Employee failure to comply with its best-practice corporate password policy can lead to many major issues for companies, including:

• Expensive data breaches
• Loss of sensitive information
• Loss of money
• Account takeovers
• Exposure to destructive malware
• Insider threats
• Reputational damage
• Legal problems
• Failure to comply with regulatory requirements

The report found that 31% use their child’s name or birthday, 34% use their spouse or partner’s name or birthday, 37% use the name of their employer, and 44% reuse passwords associated with both work-related and personal accounts.

The Keeper Security report also found when it comes to enterprise password security, employees aren’t as security conscious as they should be.

Some 57% of employees say they write passwords down on sticky notes, 55% save passwords on their phones, 51% save passwords on their computers, and 49% save passwords to the Cloud. And 62% share their passwords insecurely with unauthorized parties!

The COVID-19 pandemic and the increase of employees working remotely some or all of the time has been exploited by cybercriminals, with password exploitation one of the major challenges during this time.This highlights the need for organizations to have strong corporate password policy.

The costs are enormous – according to IBM the average cost of a breach of credentials to a company is around $3.92 million.

What is a corporate password policy?

A corporate password policy is a set of rules that an organization has about passwords that are used to access systems and data that generally incorporates best practice industry standards to ensure employee credentials cannot be easily compromised.

Corporate password policy example

Free download

Having a strong corporate password policy in place ensures that your systems and data are as secure as possible. We’ve created a corporate password policy example you can download and use to guide your own business.

10 password policy best practices to implement in your organization

Having a strong company password policy in place is one of the first lines of defense your organization has in its fight against cybercrime. Protecting passwords is a fast and easy way to enhance cybersecurity in the workplace.

If your company currently doesn’t have a corporate password policy, it’s time you developed one. And if you do have one already, you should review it to make sure it is up to the task of helping to protect employees against modern cyber threats and update it accordingly.

Some of the best organization password policy recommendations include:

1. Encourage employees to use unique passwords

It’s strongly encouraged that people use unique passwords for every account that they create. Unfortunately, this isn’t always the case when it comes to managing passwords.

A Google Online Security survey found that 52% of people use the same passwords across all accounts.

If a password is breached on one platform, that puts the user at risk of being breached everywhere.

More than 555 million passwords have been published on the dark web since late 2017, which shows the extent of the problem.

2. Insist on complex or long passwords (or both!)

With computers becoming more powerful with higher processing speeds, brute-force attacks where hackers test endless combinations of characters until they find the correct password, have been more and more effective. Your company password policy should require that long and complex passwords are used to access your systems - this is one of the most secure practices when creating passwords

According to Scientific American, a 12 character password is 62 trillion times more difficult for cybercriminals to crack than a 6 character one. And the strongest password is a 16 character one derived from a set of 200 characters.

3. Don’t allow employees to reuse passwords

To ensure security, passwords should be used once only. Reusing passwords is problematic if a password has ever been compromised in the past.

4. Passwords should be changed – but not too often

Some experts believe if you have difficult, unique passwords then you don’t need to change them unless compromised. Others believe you should change the password several times a year.

Traditional requirements to change passwords every 30, 60, 90 days have the effect of creating weaknesses in the system, not strengths.

People are less likely to use long and complex passwords if they have to remember a new one every few months. They’re also more likely to write them down or store them somewhere where third parties can access them.

5. Have continuous education and awareness

As cybercrime is constantly evolving and becoming more and more sophisticated, it’s important that your education and awareness campaigns also evolve. Password hygiene education shouldn’t just be a one-time thing: you need to continually remind employees about secure password management and let them know when new threats emerge.

>> Download 6 free cybersecurity email samples <<

6. Encourage the use of password managers

Because password combinations of complex lower and uppercase characters, special symbols and numbers can be difficult to remember, you don’t want people writing them down or storing them somewhere insecure. A password management system can help. Password manager best practice is implementing software systems that work by storing all the passwords you use and rely on one strong master password to keep them all secure.

7. Re-evaluate the threshold for failed login attempts

Many systems lock accounts when there have been a sufficient number of failed login attempts reached. Often the threshold is quite low and will only seek to frustrate users – particularly if they have legitimately forgotten their long and complex password.

This type of negative experience for the user can lead them to use more easily compromised passwords in the future. So while you shouldn’t get rid of the threshold altogether, you should make it a more reasonable amount of attempts, such as ten, before people are locked out of their accounts.

8. Forbid password sharing

Passwords need to be confidential in order to be effective in guarding sensitive information. Therefore, employees should be prohibited from sharing their passwords with anyone – even colleagues. This is one of the most important best practices for password management. It’s important that the reasons for this are clearly outlined in your corporate password policy.

9. Enable two-factor authentication

It’s a lot harder to compromise a password if there is a two-factor authentication requirement attached to it. By adding the second factor – such as an SMS being sent to a device with a one-time code that needs to be included in order to proceed – it is much more difficult for hackers to gain access to systems unless they have also managed to steal the device where the authentication is sent.

According to Microsoft, users who have multiple-factor authentication on their accounts are able to block 99.9% of automated attacks.

10. Consider getting rid of passwords altogether

According to the World Economic Forum (WEF), the COVID-19 pandemic has strengthened the case for organizations to ditch passwords completely.

New technologies such as biometrics, device attributes and behavioral analytics can help to validate someone’s identity without the need to type in a password. The WEF says that going “passwordless” will greatly boost security in companies and eliminate the risk of compromised credentials.

How to communicate your corporate password policy

It’s important to communicate your company password policy in a variety of ways to ensure that the information reaches your employees. Messages sent multiple times in different formats are more easily retained.

Consider the following methods when communicating about password security in the workplace:

• Send pop-up alerts to desktops with hints and tips about password security
• Create screensavers and corporate desktop wallpapers with best practice requirements
• Use digital screens in your organization to create engaging and visually appealing campaigns about password hygiene
• Use the corporate login screen, where employees enter their credentials, to deliver information about password security
• Include password hints and tips in your internal newsletter
• Make sure your organization password policy is in a prominent place on your intranet.
• A scrolling ticker can help you to send updates about password requirements, organization password policy examples or ongoing issues
• Quiz your employees’ password knowledge by running surveys and quizzes to see how much they know.

***

Passwords for many organizations are the only thing standing between their precious data and criminals having access to it. Keeping abreast of best practices to ensure cybersecurity, the recommendations for creating and maintaining passwords and having a strong company password policy can help to minimize the risk of harm.

Frequently asked questions

What are examples of company password policy?

Some of the password storage best practice policies that companies use include:

• Requiring that passwords contain a mixture of lowercase and uppercase characters
• Passwords need to be a certain length
• Passwords need to contain a mixture of lowercase, uppercase, numbers and special characters
• Passwords need to be changed on a regular basis
• Passwords cannot be the same as a previous password.

What is the recommended corporate password policy?

The recommended best practices for corporate password policy include:

• Requiring a minimum password length
• Establishing a password history policy where at least the ten most recent passwords are remembered and cannot be reused
• Passwords must meet complexity requirements

What is the purpose of a company password policy?

A password security policy is a set of rules that dictate the ways passwords must be created in your organization in order to prevent your systems from being compromised and your data stolen. It prevents your users from choosing weak passwords that can be cracked easily.

What is the importance of having a strong password policy?

Having a strong password policy in place in your organization will help to protect your systems and data from a range of different outsider threats and attacks. It will keep you ahead of hackers and bots that have been designed to guess passwords.