Passwords are one of the first lines of defense in enterprises, authenticating users to access critical accounts and data. As such, choosing strong passwords and maintaining their safety are paramount.
A well-defined password policy enables companies to lay out password security best practices and recommendations, while ensuring users understand password requirements and their role in keeping companies safe.
Learn more about what a password policy is, why one is critical to enterprise security and how to write a policy customized to your company's needs.
What is a password policy?
Password policies establish rules for password administration, penalties for violation of password rules, procedures for addressing access attempts using invalid passwords and other security-related activities. The level of detail in a password policy can range from simple -- such as the minimum required characteristics of a password – to a more detailed policy reflective of an enterprise-wide security program.
A password policy should be approved by senior management and reviewed and updated periodically to reflect new business activities. During a merger or acquisition, for example, the two companies likely have different security protocols, so policies should be updated to align with the acquiring/merging company's policies.
Why is a password policy needed?
Passwords historically have been a weak point for companies. The 2021 Verizon Data Breach Investigations Report concluded 61% of data breaches involved credentials. To prevent password-related breaches, it is important to ensure users create strong passwords and follow password rules and recommendations.
An enterprise-wide password policy sets the rules for password administration and provides guidelines for compliance. It's also an essential piece of evidence during audits and a key part of an organization's security activities and programs.
Components of a password policy
The template associated with this article provides the foundation for preparing a password policy. The level of detail is up to the IT department and C-level management. A password policy should have purpose and scope sections, followed by a set of definitions relevant to passwords, a description of employees' roles in administering the password policy, procedures on creating a password, password administration activities, password resetting, procedures for misused passwords and penalties for unauthorized password activities. The policy should also have a section to track dates and approvals.
How to prepare a password policy
In addition to the items listed above, the following are important to consider when developing a strong but user-friendly password policy:
- Consider the use of one-time passwords.
- Use password management software to help users create, encrypt, store and update passwords.
- Establish a password team within the security team.
- Consider using bring your own identity technology to minimize the number of passwords needed.
- Consider using single sign-on to reduce required access steps for different systems.
- Consider using the password policy as part of an identity and access management program.
- Establish a security breach management procedure.
- Provide periodic password awareness, education and training activities to all employees.
How to use the password policy template
This template is a framework for preparing a password policy. Use as much of the suggested content as needed. Incorporate any existing policy content, and add content that is appropriate for your organization.
Have the drafted policy reviewed by a subject matter expert, and update the policy as needed before submitting for C-level approval. It's helpful to have a lawyer review the policy, as well as risk management and HR.
Once it has been approved, it's important to advise employees on the policy. Train help desk staff to answer questions, especially regarding policy implementation and enforcement.
As with any policy, be sure to review and update it periodically to maintain its relevance and effectiveness.