The (New) Best Practices for Your Password Policy

Posted on June 16, 2020 - by Laird Wilton - in Building Your InfoSec Program

The (New) Best Practices for Your Password Policy

Password policy best practices were a hot security topic in 2019, as several major organizations (including NIST) issued new guidelines to create secure passwords. These updates have been primarily driven by the fact that passwords are still one of the easiest pieces of information to steal – as evidenced by the fact that phishing remains the most popular hacking technique.

As more and more businesses rely on cloud-based and software as a service (SaaS) tools, security best practices are only becoming more critical. For growing SaaS companies, this means more logins and passwords to manage, so make sure you’re keeping them safe! Here’s a roundup of the latest best practices for your password policy.

7 Best Practices for Your Password Policy

Having a strong password is one thing, but how you protect it determines if it stays safe. Strong passwords don’t matter if they’re in the wrong hands. Therefore, many of the latest best practices for password security revolve around how you store and handle the passwords themselves. Here are seven of the latest best practices to consider in your organization:

1. Leverage Password Managers

Password managers are pieces of software – often cloud-based – that store all of your login information for the different websites that you use. All you need to do is log into the manager itself using a unique “master password.” Many managers will then allow you to autofill passwords from a dropdown box to save time and stress.

There are many advantages to using a password manager for business, particularly if you’re regularly logging in to portals or other resources. A password manager can:

  • Generate random passwords of the desired strength, with special characters, numbers, or capitalized letters.
  • Warn you when you’re using a password that’s being used elsewhere or when the one you’ve chosen is weak.
  • Allow you to share passwords securely with other users so they can log in to a site, but they won’t know the password itself.

Passwords managers undergo third-party audits, penetration tests, and code reviews to keep encrypted password “vaults” safe. 1Password and Lastpass, two popular password manager options, use a “zero knowledge” protocol that ensures your master password never leaves your device and only you can access your passwords. These tools help eliminate people’s worst security habits, like choosing easy-to-remember passwords or reusing passwords multiple times.

2. Require Multi-Factor Authentication

Multi-factor authentication has been recognized as a best practice for a several years now, and it’s finally becoming both widespread and mandatory in many places. The most common occurrence is Two Factor Authentication or 2FA. This security practice requires a user to enter a password like usual. Then, the user must provide a secondary proof of his or her identity. Commonly, that’s a code sent to a phone or an email address. However, it can also include an employee keycard swipe or even biometrics.

2FA and other multifactor authentication methods have the advantage of separating the login from the user. In other words, it’s checking that you haven’t acquired a password fraudulently and that you are who you’ve said you are.

Use multi-factor authentication for all sensitive business logins. Nearly all services support it, and a few even require it. It’s also becoming more and more common for companies to include 2FA as a requirement for all employees in their password security policy.

3. Keep All Passwords Unique

At one point, we all believed that the most secure password was the one that was unguessable. So, we invented an arcane string of characters and numbers – then memorized that string, only to use it everywhere.

With the average employee receiving four to five phishing emails each week, duplicate passwords are extremely risky. Once a keylogger has a hold of that password, the hacker has free rein across all of your accounts.

Prevent this fate by never using the same password twice. Include in your company password policy the requirement that employees keep all passwords unique. 

I’ll say it again – password managers are awesome. They’re easy to use, deploy, and ensure that your employees aren’t reusing passwords.

4. Keep All Passwords Random

Even if they contain a string of seemingly random letters and numbers, nonrandom passwords are inherently weak. They’re statistically much more likely to be guessed either by someone who knows the psychology of passwords or the employee. You’ll want to explicitly forbid the following in your password policy:

  • Significant dates, names, or places. Names, street addresses, or dates could be found in public records that are posted online, or scraped off social media accounts.
  • Obvious sequences of characters, such as qwerty123. A pattern like qazxswedcvfr is on any standard English keyboard and is still not a secure password. A string of consecutive symbols !@#$%^&*.
  • Words that can be found in the dictionary, even if some of the vowels have been changed into numbers. Even if baseball, princess, or dragon seems random to you… they’re not. Those words and more are commonly found among leaked passwords in data breaches.
  • Any string of characters that appears on a list of the most common passwords.

Development teams often build password “strength” checkers into applications to enforce good password choices. Such cybersecurity features for are critical for SaaS or software companies to include on their product roadmap, to ensure users aren’t allowed to choose weak passwords.

5. Conduct Password Audits

A password audit is a systematic review of the passwords used across an office for logging in to business resources. Much like you would do security audits and risk assessments, consider doing a password audit on a schedule. At minimum once each year, but more frequently is best.

Password managers make this easy by providing the tools that you need to check for weak or duplicated passwords. You can securely run a report to quickly get these insights (without viewing any of your employees’ passwords). Some reports include a grade or security score. Often, these reports will highlight areas that your team should improve, such as flagging employees who are reusing passwords.

6. Restrict Where Passwords Are Entered

Tools like password managers are valuable because they restrict password exposure. In other words, there are fewer chances for a password to get exposed to a keylogger or a fraudulent login field. However, you can protect passwords further by restricting the devices on which employees enter them. Notably, you can prohibit employees from logging into business resources on personal devices.

Personal devices represent a security risk in a work environment. They can become exposed to malware and viruses which go undetected while quietly stealing information from the device. Likewise, it’s much harder for a cybersecurity strategy to cover personal devices because they’re often less visible (or invisible) on the network.

7. Don’t Change Them Too Often

In 2019, the National Institute of Standards and Technology (NIST) revised its recommendations for password change policies. One of the significant changes in its recommendations departs from previous conventional wisdom – that “memorized secrets” (like passwords) should not be changed unless evidence of compromise exists.

In other words, don’t make your employees change their passwords every 30, 60, or 90 days. Doing so simply invites confusion, misplaced passwords, and locked accounts from too many attempts. Use strong passwords and keep them safe.

How often should you change them then? Always when they is evidence of a breach or a security incident that could compromise a password. Also, if a password audit flags weak, breached, or reused passwords, those should be immediately changed. You could also incorporate password changes into your ongoing security program, assigning it alongside other scheduled or annual tasks like security awareness training or security policy signoffs.

Stay Secure by Using Password Policy Best Practices

In 2020, security will continue to remain a top focus for companies, as many look for how they can reduce risk and securely manage a remote workforce. As more core business functions rely on SaaS offerings, smart organizations are placing greater emphasis on password policy best practices.

Good password policies coupled with security awareness training help create a security-focused organizational culture that keeps your assets safe. Don’t wait until it’s too late. Take steps now to develop an effective security policy.

Does your company have a security policy about password management?


Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Laird Wilton is a tech entrepreneur, Techstars alumni, board member, and the COO and Co-Founder of Securicy. Securicy’s SaaS offering guides businesses through creating, implementing, and managing their information security and privacy compliance program.

Laird lives in Cape Breton, Nova Scotia with his wife and young family. When not working, he spends his time traveling with his family, coaching minor football, playing hockey and volunteering at his community’s recreation center.