Importance of Password Policy Best Practices



Importance of Password Policy Best Practices- Companies must follow password policy best practises in order to adequately protect private, sensitive, and personal communication and data. Passwords are used by system end-users as a first line of defence to prevent unauthorised users from accessing protected systems and data. As a result, proper password regulations and procedures must be developed in order to address security issues caused by bad practises and weak passwords.

Password policies are a set of guidelines designed to improve computer security in the face of growing cyber threats. To ensure correct use, the regulations urge system users to develop secure, dependable passwords and store them securely. It is the responsibility of every organisation to set strong password policies, manage them, and update them as needed.

Importance of Password Policy Best Practices

According to a recent Verizon Data Breach Investigation Report, hackers take advantage of any weakness in password policy best practises. Complex password restrictions that do more harm than good are the leading source of cyber-attacks and data breaches, according to the survey. Furthermore, the main tactics for penetrating a secured system were identified as stolen credentials (usernames and passwords) and phishing attacks.

As if bad password policies weren’t bad enough, the State of Password and Authentication Security Behaviors report from 2019 found some intriguing facts about employee password protection. It was discovered that 51% of those polled use the same password for both personal and work accounts. At the same time, 68 percent of those polled admitted to exchanging sensitive passwords with coworkers. A more concerning tendency is that 57 percent of phishing assault participants admit to not using more secure password habits. These are troubling numbers that show why organisations of all sizes and industries need to follow best password policy practises.

Current Password Policy Standards

Passwords were designed to help with authentication issues, but they’ve turned into a major source of issues. The majority of users continue to use weak, easy-to-guess passwords that they reuse across many accounts. Password policies, on the other hand, change as new security requirements emerge. As a result, professionals and regulatory agencies have focused heavily on what constitutes best password practises.

National Institute of Standards and Technology (NIST)

NIST creates and updates information security principles and standards for all federal agencies, but they can also be used by businesses. The NIST Special Publication (SP) 800-623B (Digital Identity Guidelines – Authentication and Lifecycle Management) tackles password policy concerns. The publication outlines a novel password security protocol. For example, it encourages system users to create memorised secrets, which are passwords that are easy to remember but difficult to guess. Other difficult password requirements that have been advocated in the past are also discouraged in the publication. System-generated passwords must have a minimum of six characters, whereas recommended passwords must have eight or more alphanumeric characters.

Furthermore, the NIST paper advises users to check their passwords against a list of universal, compromised, or expected passwords before safeguarding their systems. Dictionary words, passwords identified from previous breaches, sequential or repetitive passwords (e.g., 1234qwerty), and context-specific phrases are among the passwords that are banned when checked. The following are some other NIST password policy best practises:

  • To make using password managers easier, enable the paste functionality on the password entry box.
  • Instead of passwords, a system should keep a salted hash.
  • Allow users to enter passwords with dots or asterisks rather of the more secure dots or asterisks.
  • Adding a second element of authentication
  • To request memorised secrets, use authenticated protected channels and approved encryption.

Department of Homeland Security (DHS) recommendations

The Department of Homeland Security has designed a card to help users generate strong passwords and secure their systems and information from internet attacks. To help limit the risk of a security issue, the card contains simple rules, some of which are similar to NIST password standards. The tips include:



  • Make passwords that are at least eight characters long.
  • Use a pass with a mix of capital and lowercase letters, as well as punctuation marks.
  • When creating passwords, avoid using common words or personal information.
  • Use distinct passwords for each account.

Recommendations for Password Policy from Microsoft

Microsoft has developed suggestions for both end-user and administrator password rules based on information gathered over the years. The data comes from threats like phishing, bots, trojans, and worms that are tracked. Microsoft also emphasises the importance of frequent employee training to guarantee that all system end-users can detect the most recent security concerns and properly apply password policy changes. The Microsoft password policy model suggests passwords that follow the following best practises for access and identity management:

  • Using passwords that are exactly eight characters long.
  • Special characters, such as *&( percent $, are not required by users.
  • Password resets should not be enabled in user accounts on a regular basis.
  • Remind system users of the dangers of repeating passwords.
  • Multi-factor authentication should be enforced.

Recommendations for Password Policy Best Practices

To build a robust password policy, system administrators in all enterprises should consider the following suggestions:

Make Multi-Factor Authentication a requirement

Multi-factor authentication (MFA) protects data and information systems by forcing users to prove their identity and validity with extra ways. It’s a highly effective method that demands users to submit a correct username and password, as well as additional forms of identification. A text code sent to a mobile device or confirmation of a biometric registered as an extra authentication item are examples.

MFA protects individuals who do not have the necessary access privileges from accessing sensitive data and IT infrastructure. MFA also protects locked assets from being accessed by someone with a stolen credential.

Implement a Password Age Policy

It’s a policy that specifies the shortest time a password can be used to determine how long users must change their passwords. A minimum password policy is necessary because it prohibits system users from reverting to their old passwords after changing theirs. Before urging users to generate new passwords, the minimum age password policy should specify a time period of three to seven days. The policy gives users plenty of time to change their passwords and prevents them from reverting to previous passwords.

However, system administrators should be aware that passwords can be hacked. A password policy requiring a minimum age can prevent users from changing hacked passwords, and administrators should be available to make the necessary adjustments.

Use Passphrases

Passwords have a higher level of security than single-word passwords. Consider the following sentence: “Every Sunday, I Enjoy Spending Time At The Zoo.” When a sentence is used to construct a password, such as ILSTATZES, powerful passwords are created. Alternatively, utilising the complete text to generate a pass with a mix of capital and lowercase letters minimises the chances of it being hacked. It is simple to remember a passcode, but it gives better security.

Enforce a Password History Policy

When asked to generate new passwords, most people re-use passwords they’ve already created. Organizations should adopt a password history policy that regulates how often a user can reuse an old password, despite the fact that it is common practise. It’s a good idea to impose a password history policy that allows a system to remember at least ten previously used passwords. By preventing password reuse, such a strategy prevents users from alternating between popular passwords. Hackers can use brute-force attacks to break into systems protected by common passwords. Although some users may find a way to circumvent a password history policy, enforcing a minimum password age regulation is a preventative measure.

Create Unique Passwords to Protect Different Accounts

Many users succumb to the temptation of using the same password for many accounts, causing them to lose track of which password belongs to which account. This is risky because a malevolent user can break into one account and gain access to all other accounts. The protection layer of the protected accounts is increased by using a single password for each account. When safeguarding multiple systems, it’s also critical not to reuse outdated passwords. Hackers’ ability to compromise information and information systems is aided by password reuse and using the same password for several accounts.

Immediately Reset Passwords no Longer in Use

Due to intimate knowledge, disgruntled employees might become a company’s biggest enemy. As a result, system administrators must reset the passwords of accounts belonging to former employees. Ex-employees may use their previous passwords to get access to essential information for a variety of reasons, including retribution, monetary gain, and continuous access to vital information. Companies should provide IT and HR departments the authority to intervene as soon as an employee leaves the premises. They should keep track of their actions in accordance with the relevant password policies.



Always Log Out

Employees should be required to log out of their laptops whenever they leave their workstations. To avoid insider threats and hackers from obtaining personal information, employees must sign out of all accounts that aren’t in use. System administrators should set computers to lock or sign out after a predetermined amount of time when they are not in use to guarantee that everyone follows the policy. Users should also revoke rights granted to third-party apps that are linked to the main account. Hackers can get access to the main account by attacking applications with lesser protection.

Clean Desk Policy

One of the most effective password policy best practises is keeping a clean desk. Users must ensure that their desks and workstations are free of tangible things carrying sensitive information, such as passwords, under a clean desk policy. To avoid forgetting passwords, some users prefer to write them down on a piece of paper. However, they may wind up leaving the same passwords for everyone, giving everyone easy access. Users must clean their desktops before departing in order to avoid this.

Secure Emails and Mobile Phones

Mobile phones and emails can be used by malicious actors to reset the passwords of associated accounts. Most accounts have a “lost password” feature that allows users to generate a new password by receiving a unique link or code to their device or email account. Anyone with access to the devices or email accounts has the ability to change passwords at any time while maintaining access privileges. Strong passwords and biometric security, such as fingerprints, are two secure ways to protect the gadgets.

Utilize a Password Manager

Professionals and businesses are increasingly prioritising password manager software. Password management programmes like Zoho Vault and Lastpass are useful for keeping track of passwords and ensuring that they are secure. To access other passwords stored in a password manager, users just need to remember a master password. Password managers are also advantageous because they suggest strong passwords for various accounts and automatically sign a user in. Using a password manager to create and save passwords is strongly recommended whenever possible.

Practices to Avoid

In terms of password security and management, best practises for password policies preclude the following methods:

Using Dictionary Terms: When creating a password, users must avoid using words from a dictionary. Dictionary attacks are vulnerable to passwords formed with dictionary words, whether it’s a single word or a mix of words.

Personal Names as Passwords: Passwords that reflect personal names or place names are weak and insecure. Hackers can utilise social media to scan a target’s profile for key personal information such as family members’ names and frequented locations, and then use that information to crack a password. Furthermore, minor deviations in personal information have no impact on password security because cyber enemies can patiently attempt all letter and word combinations to find the correct password.

Reusing Passwords: Security experts emphasise the dangers of reusing old passwords in the same or many accounts. Users must create new passwords since reusing passwords raises the risk of hostile actors and insider threats cracking them.

Using Letter Strings: Users can be confident that any letter strings on a keyboard, such as qwertyuiop or mnbvcxz, have already been entered into a password dictionary. String-based letters are straightforward to decipher.

Password Revealing: Users should refrain from sharing their passwords with their coworkers. Passwords can not only be misused, but they can also be intercepted if shared across insecure networks.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.