At least one password you’ve used over the course of your life has been compromised.
That’s true of everyone, and that’s why we put password policies in place: to keep passwords – and the information they guard – secure.
But could your current password policy be hindering your data security efforts?
Can Passwords Be a Weakness?
First, some password statistics:
- 90% of businesses have a password policy (OneLogin).
- 70% of employees reuse passwords (Verizon Data Breach Investigations).
- 81% of “hacking-related data breaches” are linked to poor passwords (Verizon Data Breach Investigations).
Password policies dictate requirements for special characters, length, capitalization and repetition at organizations. Although most organizations already have a password policy in place, password rules evolve.
Microsoft said in early 2019 that IT administrators no longer need to require password expirations, as the practice doesn’t show value in keeping data secure. If a password can be hacked, they say, the length of time does nothing to give you extra protection. Other approaches work better.
What does a good password policy look like for your organization? If you’re interested in doing some reading, different sources give different advice. Microsoft publishes the up-to-date version of their password policy document, and NIST (National Institute of Standards and Technology) has another for reference. These are industry-accepted sources to help you shape your password policy.
How much of their recommendations are adopted is up to your individual organization. How many characters should you require, 8, 14 or 20? The answer can cause some debate.
Password Policy Questions to Consider
To help get you thinking, ask yourself the following questions about your current password policy:
- Does your complex password policy hinder everyday functionality for end users who need to enter their passwords often?
- Are your password requirements too long, too hard to remember or too difficult to change, possibly encouraging end users to write down passwords?
- Have you considered Multi-Factor Authentication to compliment and strengthen your password policy?
- Does your password policy involve checking passwords used against lists of common and/or often breached passwords?
- Outside of the policy itself, are you working to drive end-user awareness and anti-phishing practices to protect your passwords?
- Is your password policy strong enough to keep your information secure?
Is it time to look at your current password policy? Loffler can help. We have templates that will help you work through good, better and best password policies, and we can help you construct a new policy that will fit your organization’s needs.
Read Next: Multi-Factor Authentication: Four Reasons Why Now Is the Time

Kaela Seay is a Cybersecurity Analyst at Loffler Companies. Her duties at Loffler include creating internal and external documentation, implementing cybersecurity campaigns and training, running audits to ensure security and drafting policy templates. Outside of work, Kaela enjoys spending time with family and friends, traveling and reading.