How to create a secure password policy

A black and white photo of a business person's hand holding a stylized key representing a secure password policy, which continually splits apart to resemble an organizational structure, set against a solid red background.
(Image credit: Getty Images)

Passwords have been on their way out for years – and it’s no surprise. Alone, passwords are a flawed means of security, partly because people often choose weak credentials and repeat them across services.

In an enterprise scenario, this is especially problematic when coupled with IT policies that mandate changing passwords regularly. It is with this in mind that attitudes are starting to change.

Passwords no longer need to be changed every year and three random words can be better than lots of characters, according to new guidance from the US National Institute of Standards and Technology (NIST).

NIST’s latest guidance, supported by the National Cyber Security Centre (NCSC) and Microsoft, promotes a shift towards simplicity and usability. Both NIST and the NCSC now recommend using memorable passwords, rather than long, complicated strings.

This guidance also strongly advocates for multi-factor authentication (MFA) to strengthen security beyond passwords.

Taking this into account, how do firms create a secure password policy?

Weak password issues

The updated NIST guidelines address several issues with passwords that put user and enterprise security at risk.

Many older password policies enforce complexity rules. These are “demonstrably a bad idea”, says Jeff Watkins, chief technology officer at CreateFuture. “Firstly, they often constrain the password, lowering the search space for cracking, and secondly, they’re not very human-friendly.

“This results in people using coping mechanisms where the substitutions do not actually add genuine complexity. In addition, the difficulty of creating and using a complex password encourages users to resort to shorter ones.”

Meanwhile, frequent password changes can also lead to predictable, weaker passwords, experts say.

When users are forced to change passwords often, they tend to create simpler credentials they can easily remember, says Joshua Walsh, information security practitioner, part of the cyber, data and information law specialist team at rradar. This leads to “small, predictable changes” to their previous password, such as going from “Password1!” to “Password2!”, he says.

RELATED WHITEPAPER

These patterns are easily guessable by hackers: “They do not actually provide tangible security benefits, says Walsh. “Frequent changes can also cause user frustration and increase the likelihood of password reuse across different platforms, increasing the overall risk and impact of compromise.”

This can leave organizations more open to attacks involving the exploitation of weak or reused credentials. Hackers employ a variety of techniques such as brute-force attacks, phishing, and credential stuffing to exploit weak or stolen passwords, says Walsh.

Adversaries make use of automated tools to guess passwords or leverage leaked credentials from past breaches to gain access to business accounts. “Once hackers gain access, they can escalate privileges, steal sensitive data, install harmful software such as ransomware, or cause other damages that can lead to financial loss, reputational damage, and regulatory fines,” Walsh warns.

The ideal secure password policy

The goal of NIST and others such as the NCSC is to reduce insecure practices by making password policies better for users. The latest advice to use pass-phases, or strings of words, is “much more human-friendly”, says Watkins. “The pass-phrase ‘shiny yellow motorcycle’ is inherently more memorable to humans than ‘1@£!!ej)_asjD’, while also being longer.”

So, in order to take on the NCSC and NIST’s advice, firms should create a password policy that strikes a balance between security and usability, says Adam Seamons head of information security at GRC International Group. “This way, organizations can meet security needs without overwhelming users, increasing the likelihood that policies will be followed.”

As part of this, a secure password policy should encourage memorable passwords such as three random words. “You should strongly encourage pass-phrases, with a minimum length of at least 15 characters,” says Watkins.

At the same time, don’t put a maximum in, he advises. “Some password managers create very long ones, with no symbolic complexity rules. Don’t force, or disallow the use of special characters,

However, avoid enforcing overly complex composition rules as they can often lead to insecure practices including password reuse, says Walsh.

Organizations should only require password changes if there’s a specific security need such as after a breach and use MFA to “add a critical security layer, supplementing the password”, Seamons says.

Ongoing awareness training is also important, says Seamons. “Educate users on the importance of unique passwords and how to spot phishing attempts.”

As a bonus, if you want to make your services really user-friendly, ensure copy and paste is enabled and allow the use of the “show password” for accessibility reasons, says Watkins. It’s also recommended by NIST that you use a password management solution, he says. “These make it far easier for a user to manage multiple credentials and strongly discourage password reuse across platforms.”

MFA: Authentication beyond passwords

It’s widely understood that in today’s increasingly connected environment, passwords are not enough to secure services. Strong passwords are important, but there’s always a chance that someone could gain access to user accounts.

That’s where MFA comes in. “MFA adds an extra layer of security by requiring additional verification steps, such as biometrics or one-time codes, enhancing security beyond just passwords,” says Walsh.

One reliable form of authentication is a security key. “Phishing-resistant passkey MFA, such as hardware security keys, can stop remote attacks by requiring something you know – a password – and something you have – a security key – to insert into the device and physically touch to gain access to accounts,” says Niall McConachie, regional director, UK and Ireland, at Yubico.

Integrating MFA into your policy reduces the reliance on passwords alone. It also lowers the risk of unauthorized access, even if hackers are able to guess or brute force people’s credentials.

“Requiring multiple factors means that, even if a password is compromised, the system remains protected,” says Seamons. “PCI DSS 4.0 mandates MFA for sensitive environments, and Microsoft’s commitment to passwordless security reflects a shift toward more secure, user-friendly alternatives.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.