Optimising IT Blog

How to Create a Secure Password Policy for Your Business

Login - Username and Password in Internet Browser on Computer Screen

While they certainly shouldn’t be your only form of defence, passwords are often the first barrier against unauthorised access, so making them as tough to crack as possible is the best way to ensure the safety of your business’s data and customer information.

However, the use of this default authentication method continues to increase with recent research conducted by the password manager, NordPass, finding that the average user has around 100 passwords to remember. It’s extremely unlikely anyone can keep all of these in their head. To cope with the overload, employees often resort to using simple, predictable passwords, duplicating them over different accounts and writing them down where they are easily found. These strategies leave your networks open and incredibly vulnerable to attacks.

To guarantee your employees know the correct procedures to follow regarding cyber security, adding a clearly defined password policy to your staff handbook is a must for organisations of all sizes. It should contain rules and guidelines on how frequently passwords need to be updated and where they should be stored. The handbook should also include the requirements for creating strong login details and any other information to help reduce the risk of cyber criminals stealing your sensitive data.


Whether it’s financial records, email inboxes, social media profiles, the backend of your website, or any other of the numerous accounts associated with your business, safeguarding your digital assets has to be of paramount importance. The slightest data breach can have untold consequences, resulting in you losing anything from stock to credit card details and potentially causing permanent damage to your reputation and bottom line.

The simplest method to counteract this is to enforce a password policy and follow it consistently from the top down throughout your entire organisation.


Unfortunately, cyber criminals are continually developing crafty new ways to steal login details and hack into accounts. Here are some of the most common tactics for you to be on the lookout for:

  • Phishing attacks — emails designed to look like they have come from a legitimate domain, tricking the victim into handing over sensitive information or installing dangerous malware.
  • Brute-force attacks — a hacking method where the attacker writes a piece of code asking the computer to try different combinations of usernames and passwords until they find the right ones to gain access.
  • Network analysing — here, the criminal intercepts data being transmitted over a network and steals any unencrypted passwords they contain.
  • Installing a keylogger — this activity-monitoring software covertly records every keystroke an individual makes, providing the hacker with access to all of the personal details they type in, including bank card numbers, webpages they have visited and passwords.
  • Shoulder surfing — is when an attacker uses observation techniques, like looking over someone’s shoulder to obtain valuable information. Your remote team must be aware of this risk if they work in a public space like a cafe or library.


A whole host of password policy templates are available online, but to get you started, we’ve listed some of the key points you should include below:

  • Always advise your employees to change their default passwords when installing any new hardware or setting up an online account, as cyber criminals have ways of getting hold of these logins, no matter how unique and random they may appear.
  • Give password-protected accounts extra protection by using multi-factor authentication (MFA), a process that verifies a user’s identity before granting access. Popular ways of doing this include sending the individual a one-time password token, requesting biometric data, like voice recognition or a fingerprint, and asking the user a question only they know the answer to. This may include their mother’s maiden name or the street where they grew up, for example.
  • Make cyber security training a mandatory part of your onboarding process for new starters. Not only will this guarantee your employees maintain good password practices from day one, but it will also help you develop a positive cyber security culture in your organisation.
  • Implement timed logouts, disable “remember me” features on your systems and include an account lockout policy that bars the individual from accessing a secured profile for a certain amount of time after several invalid login attempts. Guidelines recommend that after entering a password or username incorrectly five times, there should be a fifteen minute lockout period.
  • Send your staff reminders to change their passwords every quarter or more frequently, depending on the value of the data you’re protecting. Do this by setting up maximum and minimum password ages. The maximum sets the schedule for when the password needs to be changed, typically every 90 days. Conversely, the minimum determines how long a user must keep their new password before changing it, preventing people from entering a new password and then changing it right back to the old, easy to remember one.
  • Create password complexity requirements discouraging people from using personal information in their logins, such as their surname or job title, and forcing them to include random punctuation. For maximum security, they should also replace some letters with numbers in their passwords and aim for a minimum length of 14 characters.


Instead of using logins containing repetitive or sequential characters or easily obtained information, such as birth dates, phone numbers or names, use an online tool to generate unique passwords randomly. Ensure they contain both uppercase and lowercase characters, symbols, punctuation and replace all instances of a particular vowel with a digit.

If you’re looking for maximum security, you could also opt for passphrases made up of a chain of several different words like “Imitat3&Activ3!L3ss^Solid%0”. And don’t forget to use a password strength tester tool to check whether your new details are strong enough to pass the above-mentioned guidelines sufficiently.


However, the major problem with machine-generated passwords is how difficult they are to remember, especially as you should be using a different one for each account you access. Instead of your staff scribbling down their logins on a post-it note and sticking it to their monitor or in unprotected Excel spreadsheets, provide them with password management software. Several popular programmes are available on the market — although it’s a good idea to do some research beforehand as each has its own benefits and disadvantages.

The tool will securely store all of their logins and auto-fill their passwords when required, so all the user has to remember is their details to enter the platform. Some even include features that allow the admin to see who has access to different accounts in your company. This gives them the ability to grant someone access to a password without them even seeing it, effectively stopping the password from inadvertently being leaked.

Our industry-leading and fully accredited cyber security services can help you compile a comprehensive password policy and ensure your business is compliant and protected from potential data breaches. Contact Optimising IT today, and one of our expert consultants will promptly give you a callback.

Climate Conscious IT

In short – it’s ‘IT for Good’. You can choose to offset your workforce’s carbon now, plan to offset their carbon in future, or do both for maximum impact.

Stay social

Latest post

Sharing is caring: