ABDA ITConsulting
← Back to Blog
Cybersecurity Basics5 min read

Creating Effective Password Policies for Your Business

ABDA IT ConsultingNovember 5, 2024

Password policies have changed significantly in recent years. The old advice about complex passwords with special characters and frequent changes has been updated based on research into how people actually behave. Here's what effective password policies look like today.

What's Changed in Password Best Practices

Old Thinking

  • Require complex passwords with uppercase, lowercase, numbers, and symbols
  • Force password changes every 30-90 days
  • Prevent any password reuse

    • New Thinking (NIST Guidelines)

  • Focus on length over complexity
  • Don't require periodic changes unless there's evidence of compromise
  • Check passwords against known breached password lists
  • Require multi-factor authentication

    • Why the Change?

    Research showed that complex password requirements often backfired:

  • Users created predictable patterns like "Password1!" or "Company2024!"
  • Frequent changes led to weaker passwords and more help desk calls
  • People wrote down complex passwords they couldn't remember

    • Elements of an Effective Password Policy

    Length Over Complexity

    Longer passwords are harder to crack than shorter complex ones:

  • Minimum 12-14 characters
  • Allow (but don't require) complexity
  • Consider allowing passphrases

    • Multi-Factor Authentication

    MFA is non-negotiable for modern security:

  • Something you know (password)
  • Something you have (phone, security key)
  • Something you are (biometric)

    • Even if a password is compromised, MFA prevents unauthorized access.

    Password Managers

    Encourage or require password managers:

  • Generate strong, unique passwords for every account
  • Store passwords securely
  • Share passwords safely when needed
  • Reduce password reuse across accounts

    • Account Lockout and Monitoring

    Protect against brute force attacks:

  • Lock accounts after failed attempts
  • Monitor for suspicious login activity
  • Alert on logins from unusual locations

    • Implementation Tips

    Don't Change Everything at Once

    Rolling out a new password policy requires planning:

  • Communicate the changes and rationale to staff
  • Provide training on password managers if introducing them
  • Set up MFA infrastructure before requiring it
  • Give employees adequate time to comply

    • Make It Easy to Do the Right Thing

    If security is inconvenient, people will find workarounds:

  • Provide approved password managers
  • Make MFA enrollment simple
  • Offer support for those who struggle with changes

    • Handle Exceptions Thoughtfully

    Some systems may not support modern authentication:

  • Document exceptions and their risks
  • Implement compensating controls where possible
  • Plan for upgrading or replacing legacy systems

    • Train Your Team

    Technical controls aren't enough:

  • Explain why these practices matter
  • Teach recognition of phishing attempts
  • Create a culture where security is everyone's responsibility

    • Measuring Success

    Track metrics to ensure your policy is working:

  • Password-related help desk tickets
  • Security incidents involving credentials
  • MFA adoption rates
  • Compliance with policy requirements

    • An effective password policy balances security with usability. The goal is to make it easy for employees to follow good practices while making it hard for attackers to compromise accounts.

    More Articles

    Cybersecurity Basics
    Phishing Attacks: How to Protect Your Business
    Read More
    Cloud
    Is Your Business Ready for the Cloud?
    Read More
    Small Business IT
    5 IT Mistakes Small Businesses Make (And How to Avoid Them)
    Read More
    ABDA IT Consulting | Business-Focused IT Solutions