The issue of employee passwords is often a challenging one for businesses around the world but can’t be ignored.
According to a report from Verizon, around 81% of hacking breaches experienced by companies are caused by weak or stolen passwords.
Maintaining password policy best practices in your company is essential to help mitigate the risks.
Table of contents
The importance of password security in the workplace
What is a corporate password policy?
10 password policy best practices to implement in your organization
How to communicate your corporate password policy
Password Security Standards and Guidelines
Employee failure to comply with its best-practice corporate password policy can lead to many major issues for companies, including:
The report found that 31% use their child’s name or birthday, 34% use their spouse or partner’s name or birthday, 37% use the name of their employer, and 44% reuse passwords associated with both work-related and personal accounts.
The Keeper Security report also found when it comes to enterprise password security, employees aren’t as security conscious as they should be.
Some 57% of employees say they write passwords down on sticky notes, 55% save passwords on their phones, 51% save passwords on their computers, and 49% save passwords to the Cloud. And 62% share their passwords insecurely with unauthorized parties!
The COVID-19 pandemic and the increase of employees working remotely some or all of the time has been exploited by cybercriminals, with password exploitation one of the major challenges during this time.This highlights the need for organizations to have strong corporate password policy.
The costs are enormous – according to IBM the average cost of a breach of credentials to a company is around $3.92 million.
A corporate password policy is a set of rules that an organization has about passwords that are used to access systems and data that generally incorporates best practice industry standards to ensure employee credentials cannot be easily compromised.
Having a strong company password policy in place is one of the first lines of defense your organization has in its fight against cybercrime. Protecting passwords is a fast and easy way to enhance cybersecurity in the workplace.
If your company currently doesn’t have a corporate password policy, it’s time you developed one. And if you do have one already, you should review it to make sure it is up to the task of helping to protect employees against modern cyber threats and update it accordingly.
Some of the best organization password policy recommendations include:
It’s strongly encouraged that people use unique passwords for every account that they create. Unfortunately, this isn’t always the case when it comes to managing passwords.
A Google Online Security survey found that 52% of people use the same passwords across all accounts.
If a password is breached on one platform, that puts the user at risk of being breached everywhere.
More than 555 million passwords have been published on the dark web since late 2017, which shows the extent of the problem.
With computers becoming more powerful with higher processing speeds, brute-force attacks where hackers test endless combinations of characters until they find the correct password, have been more and more effective. Your company password policy should require that long and complex passwords are used to access your systems - this is one of the most secure practices when creating passwords
According to Scientific American, a 12 character password is 62 trillion times more difficult for cybercriminals to crack than a 6 character one. And the strongest password is a 16 character one derived from a set of 200 characters.
To ensure security, passwords should be used once only. Reusing passwords is problematic if a password has ever been compromised in the past.
Some experts believe if you have difficult, unique passwords then you don’t need to change them unless compromised. Others believe you should change the password several times a year.
Traditional requirements to change passwords every 30, 60, 90 days have the effect of creating weaknesses in the system, not strengths.
People are less likely to use long and complex passwords if they have to remember a new one every few months. They’re also more likely to write them down or store them somewhere where third parties can access them.
As cybercrime is constantly evolving and becoming more and more sophisticated, it’s important that your education and awareness campaigns also evolve. Password hygiene education shouldn’t just be a one-time thing: you need to continually remind employees about secure password management and let them know when new threats emerge.
>> Download 6 free cybersecurity email samples <<
Because password combinations of complex lower and uppercase characters, special symbols and numbers can be difficult to remember, you don’t want people writing them down or storing them somewhere insecure. A password management system can help. Password manager best practice is implementing software systems that work by storing all the passwords you use and rely on one strong master password to keep them all secure.
Many systems lock accounts when there have been a sufficient number of failed login attempts reached. Often the threshold is quite low and will only seek to frustrate users – particularly if they have legitimately forgotten their long and complex password.
This type of negative experience for the user can lead them to use more easily compromised passwords in the future. So while you shouldn’t get rid of the threshold altogether, you should make it a more reasonable amount of attempts, such as ten, before people are locked out of their accounts.
Passwords need to be confidential in order to be effective in guarding sensitive information. Therefore, employees should be prohibited from sharing their passwords with anyone – even colleagues. This is one of the most important best practices for password management. It’s important that the reasons for this are clearly outlined in your corporate password policy.
It’s a lot harder to compromise a password if there is a two-factor authentication requirement attached to it. By adding the second factor – such as an SMS being sent to a device with a one-time code that needs to be included in order to proceed – it is much more difficult for hackers to gain access to systems unless they have also managed to steal the device where the authentication is sent.
According to Microsoft, users who have multiple-factor authentication on their accounts are able to block 99.9% of automated attacks.
According to the World Economic Forum (WEF), the COVID-19 pandemic has strengthened the case for organizations to ditch passwords completely.
New technologies such as biometrics, device attributes and behavioral analytics can help to validate someone’s identity without the need to type in a password. The WEF says that going “passwordless” will greatly boost security in companies and eliminate the risk of compromised credentials.
It’s important to communicate your company password policy in a variety of ways to ensure that the information reaches your employees. Messages sent multiple times in different formats are more easily retained.
Consider the following methods when communicating about password security in the workplace:
In the realm of cybersecurity, having a robust corporate password policy is crucial for protecting sensitive information and ensuring compliance with various standards and guidelines. Below are some key frameworks and regulations that organizations should consider when developing their password policy.
The National Institute of Standards and Technology (NIST) Special Publication 800-63B provides guidelines for digital authentication. This document emphasizes the importance of a strong password policy by recommending the use of longer passphrases, multi-factor authentication (MFA), and periodic updates to passwords. The NIST guidelines are designed to enhance security while also improving user experience by recommending less restrictive password rules.
The Payment Card Industry Data Security Standard (PCI DSS) mandates that organizations handling payment card information enforce a comprehensive corporate password policy. This standard requires passwords to be complex and regularly updated, and it also outlines the necessity of secure password storage practices. By adhering to PCI DSS, companies can ensure that their corporate password policy meets stringent security requirements.
ISO/IEC 27002 provides best practices for information security management, including guidelines for a robust corporate password policy. This standard advises organizations to implement policies that cover password length, complexity, and change frequency. It also suggests mechanisms for monitoring and enforcing these policies to safeguard sensitive data against unauthorized access.
The Center for Internet Security (CIS) offers a detailed corporate password policy guide that outlines a range of security controls for managing passwords. This guide recommends measures such as password length, complexity requirements, and the use of password managers. The CIS Password Policy Guide helps organizations create a comprehensive password policy that aligns with best practices for password security.
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards include specific requirements for a password policy in the context of energy sector organizations. NERC CIP guidelines focus on safeguarding critical infrastructure by enforcing strong password practices and regular reviews of password policies to mitigate risks.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires healthcare organizations to implement a corporate password policy that ensures the confidentiality, integrity, and availability of electronic protected health information (ePHI). HIPAA emphasizes the need for secure password practices, including password complexity, expiration, and the use of multi-factor authentication.
Incorporating these standards into your corporate password policy will help ensure that your organization meets security requirements and effectively protects sensitive information from unauthorized access. Regular reviews and updates to the policy will also keep it aligned with evolving security threats and compliance obligations.
Passwords for many organizations are the only thing standing between their precious data and criminals having access to it. Keeping abreast of best practices to ensure cybersecurity, the recommendations for creating and maintaining passwords and having a strong company password policy can help to minimize the risk of harm.
Some of the password storage best practice policies that companies use include:
The recommended best practices for corporate password policy include:
A password security policy is a set of rules that dictate the ways passwords must be created in your organization in order to prevent your systems from being compromised and your data stolen. It prevents your users from choosing weak passwords that can be cracked easily.
Having a strong password policy in place in your organization will help to protect your systems and data from a range of different outsider threats and attacks. It will keep you ahead of hackers and bots that have been designed to guess passwords.
Send urgent notifications to any corporate devices: PCs, phones, tablets, etc.
The high visibility combined with our 100% delivery rate guarantee. Bypass information overload. Deliver key information even if the computer is on screensaver mode, locked or sleeping.
11 min read
Caroline Duncan: Jul 29, 2025 9:56:55 AM
Year over year, the cost of poor crisis communication has been growing, but it's not only financial loss. Lives, business operations, and reputation...
11 min read
Caroline Duncan: Jun 30, 2025 5:53:55 AM
In the U.S. alone, about 85% of companies rely on cloud services (Census Bureau, 2024), and 33% of organizations worldwide have spent over $12...
20 min read
Caroline Duncan: Jun 9, 2025 12:02:10 PM
Disasters don't wait for a convenient time. Whether it's a cyberattack, natural disaster, or supply chain disruption, businesses that fail to prepare...
8 min read
Caroline Duncan : Jun 9, 2023 2:55:48 PM
There have been rapid shifts in the way that workplaces function over the past few years, with an increasing reliance on technology and...
7 min read
Caroline Duncan : Apr 29, 2021 6:30:00 AM
As COVID-19 vaccinations are increasingly available worldwide, many employers wonder if they can insist upon or encourage their employees to get...
6 min read
Caroline Duncan : Apr 27, 2022 9:45:00 PM
If your employees are using cell phones during work time, it's best practice to create a company cell phone policy to help guide them in what is...
Caroline Duncan