Password Policy

A password policy establishes rules for creating, managing, and protecting passwords to reduce the risk of unauthorized access.

Password policies set the rules for password creation and management across an organization.

Modern password guidance (NIST 800-63B): - Minimum 8 characters (longer better) - No complexity requirements (special chars) - No forced periodic rotation - Screen against known breached passwords - Allow paste for password managers

Traditional vs modern approach: - Old: Complex rules, 90-day rotation - New: Length over complexity, no rotation unless compromised

Enterprise password controls: - Strong password requirements enforced - Password manager encouraged - MFA required (not just passwords) - Account lockout policies - Single sign-on where possible

Why It Matters

Outdated password policies—like forced 90-day rotation and complex character requirements—actually reduce security by encouraging weak, predictable passwords. NIST 800-63B modernized password guidance to focus on length, breached password screening, and MFA rather than complexity. Aligning your password policy with current NIST guidance improves security while reducing user friction and help desk burden.

Key Points

NIST no longer recommends forced rotation

Length is more important than complexity

Check against breached password lists

MFA should supplement passwords

Password managers should be encouraged

Applicable Compliance Frameworks

SOC 2 ISO 27001 NIST CSF

Related Terms

Authentication

Authentication is the process of verifying the identity of a user, device, or system before granting access to resources.

Multi-Factor Authentication (MFA)

MFA is a security mechanism requiring users to provide two or more verification factors to gain access, significantly reducing the risk of unauthorized access.

Security Policy

Security policies are formal documents that define an organization's rules and guidelines for protecting information assets.