With 8 out of 10 security issues being related to passwords ensuring employees use strong passwords and follow best practice is becoming increasingly important. As you will find out in this post, a well-crafted password policy can help your company do just that. We’ll cover both the advantages and disadvantages of implementing password guidelines and go through the 5 principles behind our password policy template, which you can download and use for free. So, after reading this article you’ll be able to set up your own company password policy to keep your organization's accounts and data better protected.
Do you need a company password policy?
Most of us know that strong passwords are essential for keeping our accounts protected. But what people consider a strong password varies from individual to individual.
A survey by Google revealed that 66% use the same passwords for multiple accounts and 3 out of 4 find it frustrating to keep track of their passwords. So, even if people know about the best practice for creating secure passwords, they might not actually be putting them into use.
It might be tempting to think that your employees don’t need to use strong passwords because they don’t deal with confidential information. So, who would want to access their accounts, right? But there are many reasons accounts get hacked, for example, cybercriminals might try to steal sensitive data, phish your customers, or install malware to only name a few.
For small companies data breaches have long-lasting impacts, and in some cases mark the end of their business. A study by Verizon revealed that 69 % of consumers would avoid a company that had suffered a data breach. So, creating strong passwords shouldn’t just be a task for the individual employee, but a responsibility that’s held by the entire organization. This is where the password policy comes into play.
Download the template right here and get started.
What is a password policy
So, what is a password policy? A password policy consists of guidelines for creating, maintaining and using strong passwords at work. Implementing, and getting your employees to follow a password policy is an easy way to ensure everyone in your organisation follows the same standard.
You can design the password policy to stand on its own or make it part of your acceptable use policy.
Advantages of using a password policy
With password guidelines in place, employees are more likely to create strong passwords and use them consistently across their accounts. A well-made password policy helps protect your organization's assets, maintain compliance with GDPR, and reduce operational costs associated with weak passwords.
Disadvantages of using a password policy
Although a password policy comes with many advantages there are a few things to keep in mind. Setting up a new policy does not necessarily translate to making things easier for your employees, and if your guidelines are too complicated, nobody will bother following them.
So, don’t fall into the trap of creating a password policy thinking that your work is done here, instead consider what additional security training that your employees need.
Combine the password policy with security awareness training
The password policy is a document with guidelines, and it is not there to inform employees why they should be creating strong passwords or about the security risks associated with weak passwords.
Combine the policy with security awareness training to educate your employees about security risks and how to manage them. Awareness is your best friend when it comes to IT-security and GDPR compliance.
Download our free password policy template
It's almost time to go through what a password policy can look like, but first let me give you an introduction to our password policy template. Instead of creating a custom policy from scratch, I would like to give you the option to save yourself time and money by downloading our password policy template. The template consists of guidelines for secure and usable passwords.
Download the free password policy template
Next, I’ll take you through the principles behind the template. So, don’t close the article just yet.
The 5 principles behind our password policy template
Password policies should encourage the use of strong and usable passwords. In our password policy template, we have taken both these factors into consideration, while following Microsoft’s recommendations for password management. Here are the five principles that you should consider when setting up a password policy.
1. Make 12-character passwords a minimum requirement
As the headline suggests, employees should use 12-character passwords that do not contain common phrases or words that can be found in a dictionary, or names of a person, character, product, or organization.
Why? Password length plays a huge role in how fast hackers can crack a password, and in other words how secure your accounts are.
This is explained in great detail in the Hive Systems Password Table of 2022, but I’ll give you a short example here. Let's say you create an 8-character password using both upper- and lower-case characters. A password like this would take only 13 minutes for hackers to crack. While a 12-character password containing both upper- and lower-case characters would take over 200 years to decode.
Alarmingly 80 % of American passwords contain less than 12 characters and can be easily hacked. To avoid the major security risks with short passwords, educate your employees and make long passwords with a minimum of 12 characters(but preferably even longer. a mandatory requirement.
2. Consider the pros and cons with password managers
Studies show that most people write down their passwords in order to remember them. This might not be an entirely unsafe method as most cybercriminals use digital means to hack passwords. But because long and unique passwords are hard to write down, people end up creating weak passwords or reusing the same password multiple times.
Store your passwords so you can access them easily while keeping them secure from outsiders. Password managers allow employees to create strong and accessible passwords. Password managers are applications that store login data for multiple accounts inside an encrypted vault. The only password employees need to create and remember is the master key, for the password vault.
Another great advantage of password managers is that they provide the IT manager with statistics on how strong passwords employees use, and whether they follow the principles of the password policy. A digital password manager must be administered by the organization and not by the individual employee.
Are password managers safe?
Although considered safe, there is a security risk to consider before putting password managers into use.
If someone obtains access to your master key and your encrypted vault, they will have access to all your passwords. Like other applications password managers get hacked too. This happened to password manager LastPass, whose customers had their vaults stolen in early 2023.
To keep your passwords and accounts entirely safe, you should use a password manager in combination with a multi-factor authenticator.
3. Use two-factor authentication when possible
To always use a two-factor authenticator, when possible, might be the most important principle on this list and is a MUST for all companies. When using a two-factor authenticator you set up an extra security measurement to access your accounts.
To log into your account, you need to enter a security code that is sent to another device than the one used for logging in. This means that even if a cybercriminal were to access your password, they wouldn't be able to log into your account without the security code.
Using a multi-factor authenticator increases account security and according to Microsoft blocks out a whopping 99,9 % of attacks. So, making it mandatory for employees to install a two-factor authentication app and use it whenever possible is definitely good security practice.
An example of a secure two-factor authenticator is the Microsoft Authenticator.
4. Keep security guidelines simple
I’ve already mentioned this, but keeping password security guidelines as uncomplicated as possible is essential for emphasizing what's important and ensuring the information is memorable.
To keep it simple, the shorter the policy the better.
Try using plain language and focus on key points. Avoid going into specific details, and instead make it clear whom employees should turn to when they have questions or need advice regarding passwords.
5. Avoid too specific password complexity requirements
Lastly, you might want to avoid going too specific on complexity requirements, I.e., which characters, numbers and type of letters passwords must contain. While some complexity requirements, like not using one of the most common passwords or your own name can make passwords more secure, multiple specific requirements on which specific characters to use can make things overly complicated.
To keep things simple, our password policy example does not include character complexity requirements as we believe too many rules can end up working against you. Instead we focus on two-factor and length that protect you against most password-related attacks. Some policies do have rules about how often passwords should be changed and how many special characters they should contain.
Lastly, it is a good idea to inform employees about the most common passwords and forbid them from using them. You can do so in many ways. For a fun approach, why not hang up awareness posters in your office?
Cybersecurity doesn't have to be all serious, but it should be visible and present! Visit our poster library to download free security awareness posters like the one below.
Your company password policy should be secure and usable
Reflecting on why your company needs a password policy will help you explain why the rest of your colleagues should follow it. As a rule, you should always be clear about who new security guidelines are for and in what situations they should be applied.
Implementing a password policy not only contributes to increased awareness and following best practice, but also speaks for the values and security culture that management encourages. That is why password policies can help create a stronger security culture and set the right tone for your security work.
If you have any questions about this blogpost or anything else password related, feel free to reach out to our team!
Read more password related articles: