Skip to the main content.
GET QUOTE   Trial

7 min read

10 Best Practices: Corporate Password Policy

password-policy-best-practices

The issue of employee passwords is often a challenging one for businesses around the world but can’t be ignored.

According to a report from Verizon, around 81% of hacking breaches experienced by companies are caused by weak or stolen passwords.

Maintaining password policy best practices in your company is essential to help mitigate the risks.


Table of contents

The importance of password security in the workplace

What is a corporate password policy?

10 password policy best practices to implement in your organization

How to communicate your corporate password policy

Password Security Standards and Guidelines


The importance of password security in the workplace

Employee failure to comply with its best-practice corporate password policy can lead to many major issues for companies, including:

  • Expensive data breaches
  • Loss of sensitive information
  • Loss of money
  • Account takeovers
  • Exposure to destructive malware
  • Insider threats
  • Reputational damage
  • Legal problems
  • Failure to comply with regulatory requirements
According to the Keeper Security Workplace Password Malpractice Report 2021, many employees admit they use weak or easily guessed passwords.

The report found that 31% use their child’s name or birthday, 34% use their spouse or partner’s name or birthday, 37% use the name of their employer, and 44% reuse passwords associated with both work-related and personal accounts.

The Keeper Security report also found when it comes to enterprise password security, employees aren’t as security conscious as they should be.

Some 57% of employees say they write passwords down on sticky notes, 55% save passwords on their phones, 51% save passwords on their computers, and 49% save passwords to the Cloud. And 62% share their passwords insecurely with unauthorized parties!

The COVID-19 pandemic and the increase of employees working remotely some or all of the time has been exploited by cybercriminals, with password exploitation one of the major challenges during this time.This highlights the need for organizations to have strong corporate password policy.

The costs are enormous – according to IBM the average cost of a breach of credentials to a company is around $3.92 million.

What is a corporate password policy?

A corporate password policy is a set of rules that an organization has about passwords that are used to access systems and data that generally incorporates best practice industry standards to ensure employee credentials cannot be easily compromised.

Corporate password policy example

10 password policy best practices to implement in your organization

Having a strong company password policy in place is one of the first lines of defense your organization has in its fight against cybercrime. Protecting passwords is a fast and easy way to enhance cybersecurity in the workplace.

If your company currently doesn’t have a corporate password policy, it’s time you developed one. And if you do have one already, you should review it to make sure it is up to the task of helping to protect employees against modern cyber threats and update it accordingly.

Some of the best organization password policy recommendations include:

1. Encourage employees to use unique passwords

It’s strongly encouraged that people use unique passwords for every account that they create. Unfortunately, this isn’t always the case when it comes to managing passwords.

A Google Online Security survey found that 52% of people use the same passwords across all accounts.

If a password is breached on one platform, that puts the user at risk of being breached everywhere.

More than 555 million passwords have been published on the dark web since late 2017, which shows the extent of the problem.

2. Insist on complex or long passwords (or both!)

With computers becoming more powerful with higher processing speeds, brute-force attacks where hackers test endless combinations of characters until they find the correct password, have been more and more effective. Your company password policy should require that long and complex passwords are used to access your systems - this is one of the most secure practices when creating passwords

According to Scientific American, a 12 character password is 62 trillion times more difficult for cybercriminals to crack than a 6 character one. And the strongest password is a 16 character one derived from a set of 200 characters.

3. Don’t allow employees to reuse passwords

To ensure security, passwords should be used once only. Reusing passwords is problematic if a password has ever been compromised in the past.

4. Passwords should be changed – but not too often

Some experts believe if you have difficult, unique passwords then you don’t need to change them unless compromised. Others believe you should change the password several times a year.

Traditional requirements to change passwords every 30, 60, 90 days have the effect of creating weaknesses in the system, not strengths.

People are less likely to use long and complex passwords if they have to remember a new one every few months. They’re also more likely to write them down or store them somewhere where third parties can access them.

5. Have continuous education and awareness

As cybercrime is constantly evolving and becoming more and more sophisticated, it’s important that your education and awareness campaigns also evolve. Password hygiene education shouldn’t just be a one-time thing: you need to continually remind employees about secure password management and let them know when new threats emerge.

>> Download 6 free cybersecurity email samples <<

6. Encourage the use of password managers

Because password combinations of complex lower and uppercase characters, special symbols and numbers can be difficult to remember, you don’t want people writing them down or storing them somewhere insecure. A password management system can help. Password manager best practice is implementing software systems that work by storing all the passwords you use and rely on one strong master password to keep them all secure.

Corporate Password Policy

7. Re-evaluate the threshold for failed login attempts

Many systems lock accounts when there have been a sufficient number of failed login attempts reached. Often the threshold is quite low and will only seek to frustrate users – particularly if they have legitimately forgotten their long and complex password.

This type of negative experience for the user can lead them to use more easily compromised passwords in the future. So while you shouldn’t get rid of the threshold altogether, you should make it a more reasonable amount of attempts, such as ten, before people are locked out of their accounts.

8. Forbid password sharing

Passwords need to be confidential in order to be effective in guarding sensitive information. Therefore, employees should be prohibited from sharing their passwords with anyone – even colleagues. This is one of the most important best practices for password management. It’s important that the reasons for this are clearly outlined in your corporate password policy.

9. Enable two-factor authentication

It’s a lot harder to compromise a password if there is a two-factor authentication requirement attached to it. By adding the second factor – such as an SMS being sent to a device with a one-time code that needs to be included in order to proceed – it is much more difficult for hackers to gain access to systems unless they have also managed to steal the device where the authentication is sent.

According to Microsoft, users who have multiple-factor authentication on their accounts are able to block 99.9% of automated attacks.

10. Consider getting rid of passwords altogether

According to the World Economic Forum (WEF), the COVID-19 pandemic has strengthened the case for organizations to ditch passwords completely.

New technologies such as biometrics, device attributes and behavioral analytics can help to validate someone’s identity without the need to type in a password. The WEF says that going “passwordless” will greatly boost security in companies and eliminate the risk of compromised credentials.

How to communicate your corporate password policy

password policy best practicesIt’s important to communicate your company password policy in a variety of ways to ensure that the information reaches your employees. Messages sent multiple times in different formats are more easily retained.

Consider the following methods when communicating about password security in the workplace:

  • Send pop-up alerts to desktops with hints and tips about password security
  • Create screensavers and corporate desktop wallpapers with best practice requirements
  • Use digital screens in your organization to create engaging and visually appealing campaigns about password hygiene
  • Use the corporate login screen, where employees enter their credentials, to deliver information about password security
  • Include password hints and tips in your internal newsletter
  • Make sure your organization password policy is in a prominent place on your intranet.
  • A scrolling ticker can help you to send updates about password requirements, organization password policy examples, or ongoing issues
  • Quiz your employees’ password knowledge by running surveys and quizzes to see how much they know.

Password Security Standards and Guidelines

In the realm of cybersecurity, having a robust corporate password policy is crucial for protecting sensitive information and ensuring compliance with various standards and guidelines. Below are some key frameworks and regulations that organizations should consider when developing their password policy.

1. NIST SP800-63B

The National Institute of Standards and Technology (NIST) Special Publication 800-63B provides guidelines for digital authentication. This document emphasizes the importance of a strong  password policy by recommending the use of longer passphrases, multi-factor authentication (MFA), and periodic updates to passwords. The NIST guidelines are designed to enhance security while also improving user experience by recommending less restrictive password rules.

2. PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) mandates that organizations handling payment card information enforce a comprehensive corporate password policy. This standard requires passwords to be complex and regularly updated, and it also outlines the necessity of secure password storage practices. By adhering to PCI DSS, companies can ensure that their corporate password policy meets stringent security requirements.

3. ISO/IEC 27002

ISO/IEC 27002 provides best practices for information security management, including guidelines for a robust corporate password policy. This standard advises organizations to implement policies that cover password length, complexity, and change frequency. It also suggests mechanisms for monitoring and enforcing these policies to safeguard sensitive data against unauthorized access.

4. CIS Password Policy Guide

The Center for Internet Security (CIS) offers a detailed corporate password policy guide that outlines a range of security controls for managing passwords. This guide recommends measures such as password length, complexity requirements, and the use of password managers. The CIS Password Policy Guide helps organizations create a comprehensive password policy that aligns with best practices for password security.

5. NERC CIP

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards include specific requirements for a password policy in the context of energy sector organizations. NERC CIP guidelines focus on safeguarding critical infrastructure by enforcing strong password practices and regular reviews of password policies to mitigate risks.

6. HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires healthcare organizations to implement a corporate password policy that ensures the confidentiality, integrity, and availability of electronic protected health information (ePHI). HIPAA emphasizes the need for secure password practices, including password complexity, expiration, and the use of multi-factor authentication.

Incorporating these standards into your corporate password policy will help ensure that your organization meets security requirements and effectively protects sensitive information from unauthorized access. Regular reviews and updates to the policy will also keep it aligned with evolving security threats and compliance obligations.

***

Passwords for many organizations are the only thing standing between their precious data and criminals having access to it. Keeping abreast of best practices to ensure cybersecurity, the recommendations for creating and maintaining passwords and having a strong company password policy can help to minimize the risk of harm.

Frequently asked questions

What are examples of company password policy?

Some of the password storage best practice policies that companies use include:

  • Requiring that passwords contain a mixture of lowercase and uppercase characters
  • Passwords need to be a certain length
  • Passwords need to contain a mixture of lowercase, uppercase, numbers and special characters
  • Passwords need to be changed on a regular basis
  • Passwords cannot be the same as a previous password.

What is the recommended corporate password policy?

The recommended best practices for corporate password policy include:

  • Requiring a minimum password length
  • Establishing a password history policy where at least the ten most recent passwords are remembered and cannot be reused
  • Passwords must meet complexity requirements

What is the purpose of a company password policy?

A password security policy is a set of rules that dictate the ways passwords must be created in your organization in order to prevent your systems from being compromised and your data stolen. It prevents your users from choosing weak passwords that can be cracked easily.

What is the importance of having a strong password policy?

Having a strong password policy in place in your organization will help to protect your systems and data from a range of different outsider threats and attacks. It will keep you ahead of hackers and bots that have been designed to guess passwords.

How to Use Digital Health and Safety Signage in the Workplace

11 min read

How to Use Digital Health and Safety Signage in the Workplace

Health and safety signage are designed to provide essential information about risks, safety measures, and emergency procedures and help people to...

Read More
What Is Business Communication and How Can It Benefit Your Company?

16 min read

What Is Business Communication and How Can It Benefit Your Company?

What Is business communication? Business communication is something that every organization does every single day - sometimes well, and sometimes...

Read More
9 New Employee Announcement Ideas

9 min read

9 New Employee Announcement Ideas

When a new employee joins your company, sending an email to the rest of the organization can help to ease the new recruit into their position by...

Read More