Password policy

What is a password policy?

A password policy is a set of rules that defines how passwords are created, used, and managed within an organization. It typically covers requirements for password strength, lifecycle management, reset procedures, and secure storage practices.

How does a password policy work?

A password policy works by combining technical controls and administrative rules.

Technical controls automatically enforce security requirements. They block weak or common passwords, prevent reuse, lock accounts after repeated failed attempts, and may check new passwords against breach databases.

Administrative rules define how passwords are managed. This includes when they must be changed, how they’re securely stored (hashed and salted), how resets are handled, and whether two-factor authentication (2FA) or multi-factor authentication (MFA) is required.

Types of password policies

While the goal is always to protect accounts, the type of password policy an organization chooses depends on its risk tolerance and regulatory environment. The most common types include:

• Complexity-based policies: Require a mix of uppercase and lowercase letters, numbers, and special characters. These policies focus on character variety, though overly strict rules can lead to predictable patterns.
• Length-first (passphrase) policies: Prioritize longer passwords or passphrases (e.g., three random words). These can be hard to crack and easier for users to remember.
• Risk-based (adaptive) policies: Adjust authentication requirements based on context, such as a new device, unusual location, or suspicious activity. These policies are often paired with MFA.
• Industry-specific policies: Follow formal security frameworks required in regulated sectors like finance, healthcare, or government.

Examples of password policies

Major security standards bodies publish formal password policy rules and recommendations. Here are some examples:

• National Institute of Standards and Technology (NIST) SP 800-63B: Sets mandatory requirements for U.S. federal systems, including minimum password lengths (15 characters for single-factor, 8 with MFA) and a prohibition on arbitrary composition rules.
• Center for Internet Security (CIS): Provides recommended benchmarks, such as 14-character minimums without MFA and account lockout protections.
• National Cyber Security Centre (NCSC U.K.): Recommends long, memorable passphrases and discourages forced periodic resets.

Why is a password policy important?

A password policy reduces the risk of unauthorized access by ensuring users create and maintain strong credentials. Without clear rules, weak, reused, or easily guessed passwords become a major entry point for attackers. A defined policy also supports regulatory compliance and creates consistent security standards across an organization.

Password policy considerations

Overly strict complexity requirements could push users toward predictable patterns or writing passwords down. Likewise, forcing frequent password resets may encourage small, incremental changes.

Policies that rely on security questions or password hints can also expose sensitive personal information.

From a technical standpoint, improper storage of credentials might result in data exposure if systems are compromised.

Further reading

• How often should you change your passwords?
• How do hackers get passwords? Tips to stay safe
• Diceware passwords: How to create secure passphrases