Your employees’ passwords are extremely valuable, and a favorite target for hackers. In fact, stolen or weak passwords are the root cause of the majority of hacking-related breaches. Employees are a critical line of defense, and having a security-conscious employee base is an invaluable aspect of organizational security.

Part of building an intelligent cyber-aware culture is developing and enforcing a smart, thorough password policy. It may seem simplistic, but a password policy paired with a greater overall access management policy demonstrates its value by assigning security roles to all employees and communicating the importance of secure access across the enterprise.

With the way authentication is rapidly evolving, we took the time to iron out a comprehensive password policy to prepare organizations for the road ahead. This template is based on our industry experience and incorporates our informed best practices as well as the latest guidance from NIST. The result is a short end-user password policy for organizations to boost their access management and password security

Best Practices for Implementing a Password Policy

Password policies can be implemented and enforced successfully in a variety of ways, but we view the following to be essential in establishing an effective and secure password policy:

  • Multi-factor. We’ve said it before – all users need to be able to leverage some form of multi-factor authentication (MFA). Organizations should be rolling out some version of this enterprise-wide.
  • Don’t limit your users. Setting a high maximum character count (at least 64 characters) for authentication encourages users to adopt passphrases over passwords - something NIST is now strongly endorsing. Longer passphrases are naturally more secure and easier for users to remember since they don’t involve random numbers and special characters.
  • Speaking of special characters…Don’t make them a requirement. More often than not, special characters are a chore that diminishes the user experience; they are more difficult to commit to memory and aren’t necessarily more secure. NIST no longer recommends special characters either.
  • Mandatory minimums. NIST recommends an 8-character minimum requirement. This may seem low, but the logic is that, if given autonomy rather than complex requirements, users will be more likely to create unique passwords than re-use the same ones across accounts.
  • Quarterly changes. Users should be prompted to change their passwords every 3 months. This ensures that employees aren’t using freshly compromised passwords, and keeps security top of mind. As part of this, users shouldn’t be able to recycle previously used passwords.
  • Check for pwnage. All attempts to create a new password should be run against a blacklist of compromised values. There are several out there, but the creator of Have I Been Pwned has created a free-to-use database of passwords that have already been breached. Forbidding previously hacked passwords greatly increases password security across the enterprise.
  • Absolute secrecy. Passwords should not be shared with anyone, including IT. They should not be communicated via email, phone, or any technology, and should never be written down. The use of a secure electronic password manager is encouraged.

Template: User Password Policy


This policy is intended to establish guidelines for effectively creating, maintaining, and protecting passwords at [COMPANY NAME].


This policy shall apply to all employees, contractors, and affiliates of [COMPANY NAME], and shall govern acceptable password use on all systems that connect to [COMPANY NAME] network or access or store [COMPANY NAME] data.


Password Creation

  1. All user and admin passwords must be at least [8] characters in length. Longer passwords and passphrases are strongly encouraged.
  2. Where possible, password dictionaries should be utilized to prevent the use of common and easily cracked passwords.
  3. Passwords must be completely unique, and not used for any other system, application, or personal account.
  4. Default installation passwords must be changed immediately after installation is complete.

Password Aging

  1. User passwords must be changed every [3] months. Previously used passwords may not be reused.
  2. System-level passwords must be changed on a quarterly basis.

Password Protection

  1. Passwords must not be shared with anyone (including coworkers and supervisors), and must not be revealed or sent electronically.
  2. Passwords shall not be written down or physically stored anywhere in the office.
  3. When configuring password “hints,” do not hint at the format of your password (e.g., “zip + middle name”)
  4. User IDs and passwords must not be stored in an unencrypted format.
  5. User IDs and passwords must not be scripted to enable automatic login.
  6. “Remember Password” feature on websites and applications should not be used.
  7. All mobile devices that connect to the company network must be secured with a password and/or biometric authentication and must be configured to lock after 3 minutes of inactivity.


It is the responsibility of the end user to ensure enforcement with the policies above.

If you believe your password may have been compromised, please immediately report the incident to [RELEVANT CONTACT] and change the password.


Want more awesome templates like this?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.