IT departments often struggle with getting users to choose secure passwords and keep them safe. For help, here’s a password policy template companies can use to create their own written rules.
Getting users to follow password policies is difficult. We don’t just mean the rules about password complexity — for example, that each password must contain at least one capital letter, number and special character.
In many cases, those requirements are easily enforced using technology tools such as Microsoft’s Group Policy — and increasingly, those rules don’t really do that much to make passwords more secure.
When a company is creating a written password policy, it’s important to focus on the entire life cycle of the password — including how passwords are chosen, how often they’re changed, and what employees should be doing to keep passwords from being stolen by outside hackers and malicious insiders.
That latter point is especially important for companies to keep in mind when they create password policies. It’s more likely for data breaches to begin with a phishing attack or an insider threat than with a brute-force password cracking attempt.
In addition to a password policy, IT departments should also do their best to protect accounts with technical controls — for example, encrypting all passwords that are stored on the company’s network and enforcing mandatory lockouts after a certain number of failed log-in attempts.
Below is a sample password policy template companies can use to create their own rules and password security strategies:
Password Policy Template
Employees at Company XYZ must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are a key part of IT’s strategy to make sure only authorized people can access those resources and data.
All employees who have access to any of those resources are responsible for choosing strong passwords and protecting their log-in information from unauthorized people.
The purpose of this policy is to make sure all Company XYZ resources and data receive adequate password protection. The policy covers all employees who are responsible for one or more account or have access to any resource that requires a password.
- All passwords should be reasonably complex and difficult for unauthorized people to guess. Employees should choose passwords that are at least eight characters long and contain a combination of upper- and lower-case letters, numbers, and punctuation marks and other special characters. These requirements will be enforced with software when possible.
- In addition to meeting those requirements, employees should also use common sense when choosing passwords. They must avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective.
- A password should be unique, with meaning only to the employee who chooses it. That means dictionary words, common phrases and even names should be avoided. One recommended method to choosing a strong password that is still easy to remember: Pick a phrase, take its initials and replace some of those letters with numbers and other characters and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”.
- Employees must choose unique passwords for all of their company accounts, and may not use a password that they are already using for a personal account.
- All passwords must be changed regularly, with the frequency varying based on the sensitivity of the account in question. This requirement will be enforced using software when possible.
- If the security of a password is in doubt– for example, if it appears that an unauthorized person has logged in to the account — the password must be changed immediately.
- Default passwords — such as those created for new employees when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.
- Employees may never share their passwords with anyone else in the company, including co-workers, managers, administrative assistants, IT staff members, etc. Everyone who needs access to a system will be given their own unique password.
- Employees may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
- Employees should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All employees will receive training on how to recognize these attacks.
- Employees must refrain from writing passwords down and keeping them at their workstations. See above for advice on creating memorable but secure passwords.
- Employees may not use password managers or other tools to help store and remember passwords without IT’s permission.
For help with other IT policies, be sure to read our: