At least one password you’ve used over the course of your life has been compromised. 

That’s true of everyone, and that’s why we put password policies in place: to keep passwords – and the information they guard – secure. 

But could your current password policy be hindering your data security efforts? 

Can Passwords Be a Weakness? 

First, some password statistics: 

  • 90% of businesses have a password policy (OneLogin).  
  • 70% of employees reuse passwords (Verizon Data Breach Investigations). 
  • 81% of “hacking-related data breaches” are linked to poor passwords (Verizon Data Breach Investigations) 

Password policies dictate requirements for special characters, length, capitalization and repetition at organizations. Although most organizations already have a password policy in placepassword rules evolve.

Microsoft said in early 2019 that IT administrators no longer need to require password expirations, as the practice doesn’t show value in keeping data secure. If a password can be hacked, they say, the length of time does nothing to give you extra protection. Other approaches work better.  

What does a good password policy look like for your organization? If you’re interested in doing some reading, different sources give different advice. Microsoft publishes the up-to-date version of their password policy document, and NIST (National Institute of Standards and Technology) has another for reference. These are industry-accepted sources to help you shape your password policy.  

How much of their recommendations are adopted is up to your individual organization. How many characters should you require, 8, 14 or 20? The answer can cause some debate.  

Password Policy Questions to Consider 

To help get you thinking, ask yourself the following questions about your current password policy: 

  • Does your complex password policy hinder everyday functionality for end users who need to enter their passwords often? 
  • Are your password requirements too long, too hard to remember or too difficult to change, possibly encouraging end users to write down passwords? 
  • Have you considered Multi-Factor Authentication to compliment and strengthen your password policy? 
  • Does your password policy involve checking passwords used against lists of common and/or often breached passwords? 
  • Outside of the policy itself, are you working to drive end-user awareness and anti-phishing practices to protect your passwords? 
  • Is your password policy strong enough to keep your information secure? 

Is it time to look at your current password policy? Loffler can help. We have templates that will help you work through good, better and best password policies, and we can help you construct a new policy that will fit your organization’s needs. 

Information Security Policies Made Easy

Read Next: Multi-Factor Authentication: Four Reasons Why Now Is the Time

Kaela Seay

Kaela Seay is a Cybersecurity Analyst at Loffler Companies. Her duties at Loffler include creating internal and external documentation, implementing cybersecurity campaigns and training, running audits to ensure security and drafting policy templates. Outside of work, Kaela enjoys spending time with family and friends, traveling and reading.

Latest News

5 Reasons Why SMBs Should Invest in Network Security
May 2, 2023

5 Reasons SMBs Should Invest in Network Security

As more businesses digitize processes and shift their operations online, a cybersecurityplan is critical to maintaining ...
Read More
April 6, 2023

8 Cybersecurity Statistics You Must Know in 2023

Cybersecurity is a critical concern for businesses of all sizes, but small and medium-sized businesses (SMBs) are ...
Read More
March 23, 2023

6 Reasons to Consider Migrating to a Modern Workplace

With the rise of remote work, the traditional office setup is becoming a thing of the past as more and more ...
Read More