Create a Secure Password Policy for Your Organization

Reading Time: 4 minutes


Passwords are an essential part of security at any organization and an important element in preventative measures to keep hackers from getting in the door to your data. Here are some tips to ensure you have the right policy in place to keep your organization safe from security threats.

Tips to Create a Strong and Secure Password Policy

When you think about passwords, there are a few dynamics to consider. The password history, password age, and password length should be top of mind. So, what standards should you set?

  • Enforce Password History
    Password history sets how frequently old passwords can be used again. When you include this in your policy, it discourages users from alternating between several common passwords that can be easily hacked. Some organizations might only enforce a password history of one or two remembered passwords. Best practices are to enforce a history of five.
  • Set a Maximum and Minimum Password Age
    • Maximum Password Age – To maintain a high level of security, you should have users change their passwords periodically. The maximum password age sets the schedule for this to take place. A shorter cycle will ensure a higher level of security. A longer cycle indicates security is less important. It can be tempting to set no expiration date, but you are then setting the stage to compromise your network’s security. Best practice is to set a maximum password age of 90 days.
    • Minimum Password Age – The minimum password age determines how long users must keep a password before they can change it. The reason you want to pay attention to this is because this field can be used to prevent users from bypassing the password policy in place by entering a new password and then changing it right back to the old one. To avoid this scenario, do not set this age to 0. It is recommended you set it for at least one day.
  • Impose a Minimum Password Length
    It is recommended that you include the use of passphrases when you create your policy. Passphrases focus on the length of the password. Some organizations might think six or eight characters are ok, but it’s recommended to set a minimum password length of 14 characters. This is much more secure than a seven or eight-character complex password.
  • Include an Account Lockout Policy
    Your password policy should include the lockout threshold, or how many attempts can be executed before a lockout takes place. You should also set how long the lockout will be in place once it is triggered. Strong security guidelines suggest that after five invalid logon attempts there is a 15 minute lockout period.

You might be thinking, are the passwords set by our users that important? The answer is yes, they absolutely are. Let’s take a look at some math on how quickly you can crack a password. With reasonably little cost, a bad guy could “guess” 44 billion passwords per second to crack a password.

  • An 8-character alpha-numeric-special-character password has a keyspace of about (26+10+32=68^8=) 457,163,239,653,376 or 457 trillion password combinations, which could be cracked in under 3 hours.
  • A 14-character alpha-numeric passphrase has a keyspace of about (26+10=36^14=) 6,140,942,214,464,815,497,216, which could be cracked in 4,425 years.
  • A 14-character alpha-numeric-special-character passphrase has a keyspace of about (68^14=) 45,198,578,652,761,699,462,938,624, which could be cracked in 32,573,580 years.
  • A 20-character alpha-numeric-special-character passphrase has a keyspace of about (68^20=) 4.469e+36, which could be cracked in 3,220,467,870,472,284,669 years.

Don’t have a policy in place today? Not sure if your IT security is up to par?  From IT strategy to security testing and everything in between, Sikich has a large team of technology advisors and specialists ready to help! Contact us today with any questions you may have.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author