14 Password Policy Best Practices

14 Password Policy Best Practices

When was the last time you thought about password policy best practices? Your business probably relies heavily on technology for day-to-day operations, communication and data storage. With the increased reliance on digital systems comes the increased need for security measures to safeguard sensitive information. Neglecting to implement a password policy can result in data breaches, compliance penalties, legal fines and worse.

Take the time now to protect your business with these 14 password policy best practices.

Password policies have been around for a long time in business, but when was the last time you reviewed yours? Is it still fit for purpose? The online threat environment is ever-changing and it may well be that your password policy, and overall password vigilence, has never been so important to your business.

So here is our round up the 14 password policy best practices for your business.


Best Practice #1: Use Strong Passwords

This might sound pretty obvious, but recent research shows that ludicrously simple passwords are still in common usage.


Put simply, strong passwords make a hackers’ job much harder. Often attackers simply set powerful computers to guessing your password, so the simpler the password, the easier it is to guess.

Strong passwords are considered over 8 characters in length and are comprised of letters, numbers and symbols. They contain letters in both uppercase and lowercase.

Best Practice #2: Avoid Bunching Numbers and Symbols Together

One good password practice that often goes overlooked is to spread numbers and symbols throughout the password instead of bunching them together, which makes it easier for the password to be hacked.

Best Practice #3: Steer Clear from Obvious or Personal Information

Unbelievably, the most widely-used password on hacked accounts last year is 123456.

Even if you think you’re just setting something up temporarily, using such super-simple passwords is just playing into the hackers’ hands.

Perhaps a bit less obvious is the risk of using personal information, like your date of birth or child’s name,.in your password. This may make it easier to remember, but such data is also vulnerable to being ‘scraped’ via fake online forms and other ruses and could give anyone seeking to guess your password a head start.

Click on the link below for information for how you can protect yourself and your Business from Phishing and Ransomware Attacks with Ative Email Threat Protection. Or alternativly ask us for more information.

By clicking "submit", you agree to One2Call’s Terms of Use as detailed in their Privacy Policy (www.one2call.net/privacy). You consent to receive emails, phone calls and/or SMS messages from One2Call in relation to your enquiry or order, and for marketing purposes upon opt in. Message frequency depends on your activity. You may opt-out by texting "STOP" to any SMS sent from One2Call or by clicking “Unsubscribe” on any marketing email sent by One2Call. Message and data rates may apply for any SMS sent.

Best Practice #4: Use Two-Factor Authentication

Two-factor authentication (2FA) helps keep accounts and data safe from hackers by using two different methods to verify that you are who you say you are.

One of the most highly effective password policy best practices, 2FA, requires you to input a PIN that gets sent to you via an email, SMS or app. Consequently, two-factor authentication protects from stolen passwords and prevents an external person from accessing systems and accounts.

Mainstream providers are increasingly moving to using 2FA by default, and many offer the option. Why not enquire with all your cloud service providers as to the availability of two-factor authentication for accessing their platforms?

Best Practice #5: Refrain from Using Dictionary Words

Sophisticated hackers have programs that search through tens of thousands of dictionary words as part of their password-guessing attempts. Help prevent your business from being the victim of a dictionary attack program by avoiding using dictionary words. Instead opt for random passwords.

Best Practice #6: Don’t Make Passwords Too Long, or…

If you’re in the position where you need to commit your passwords to memory, then long passwords can leave you in the frustrating situation of continually forgetting your password and getting locked out of your account.

Passwords that creep up to over ten characters can be painfully difficult to remember, so around 8 – 12 characters are considered optimum for password safety.

Unless, of course, you….

Best Practice #7: Use a Password Manager

More and more businesses and professionals are using password managers like LastPass or Zoho Vault as a means of practicing high levels of security and keeping passwords organised.

With password managers, you only need remember one password, as the password manager stores and even create passwords for your different accounts, automatically signing you in when you log on.

If possible use these apps to generate and automatically save passwords. You can even use LastPass autofill on iOS devices so your saved passwords are available wherever you are and you don’t have to type long complicated passwords on your iOS device.

For more detailed information about password managers, read this article from the National Cyber Security Centre.

Best Practice #8: Use Different Passwords for Different Accounts

It can be tempting to use the same password for every account, so we don’t forget our passwords.

However, this not only makes it easier for hackers to break into your accounts, but it also it also means if they manage to crack one, they have access to all your accounts – bad times!

Diversify your passwords by using a different password for every account. It is especially important that you do not re-use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your email soon.

Not only this, but as your email address is frequently used to reset your account passwords, if they gain access to your email account they can potentially lock you out of all your other accounts by changing the passwords.

Best Practice #9: Secure Your Mobile Phone

With the growing use of mobile phones to conduct business, shop and more, mobile devices are becoming a major cause of concern in the security community. Help protect your phone and other mobile devices from hackers by following password policy best practices. Or, better still, use fingerprint or facial recognition passwords to help outwit hackers.

For business users Mobile Device Management (MDM) offers a means to centrally control the security of devices by applying password policy best practices such as prompting regular password changes, locking devices to a specific location, or even wiping the device if it gets lost or stolen.


Best Practice #10: Change Passwords Regularly

It can also be tempting to keep the same old passwords for years, so you don’t end up forgetting them. However, changing passwords regularly is one of the best password policy best practices to instill in your business’s security agenda to help outwit hackers.

In most cases, your IT team should be able to apply password policy best practices centrally that ensure that passwords are regularly updated.

Best Practice #11: Change Passwords When an Employer Leaves Your Business

Sadly, it is not uncommon for former, disgruntled employees to become your business’s worse enemy.

Don’t let angry former employees hack into your business accounts and wreak havoc by making it common practice to change passwords when an employee leaves the company.

And that means immediately after they have left the building! People don’t have to wait until they get home to start accessing old work accounts anymore.

Ensure your HR and IT teams are empowered to take action quickly once an employee leaves, and document what action they have taken (as this may also overlap with your GDPR obligations).

Learn more about helpful rules, guidelines and procedures for keeping your business cyber safe with Get Safe Online.

Best Practice #12: Remember to Log Out

Avoid having vital company security information plastered across the internet, making it easy for hackers to steal, by signing out of accounts when you’re not using them. This can be done manually, or it may be possible in the settings to define how long an account will stay logged in for once inactive.

Also, remove any permissions of applications when you have finished with them, such as apps or APIs you have integrated with from that account.

Best Practice #13: Don’t Write Down Passwords

It can be such a temptation to write down passwords, even temporarily, either in an online document or scrap of paper. But as horrible as it is to contemplate, data breaches don’t just come from external hacks, they can come from within as well.

If you’re not confident of remembering passwords, or have run out of ideas for generating your own, then using a secure password manager like LastPass will make your life a whole lot easier and more secure!

Best Practice #14: Be Vigilant About Safety

No matter how strong your passwords are and how meticulous about password policy best practices you are, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make life as difficult as possible for cyber criminals by using an up-to-date virus scanner and making regular updates to your devices.

In conclusion, implementing and following password policy best practices can help protect your business from data breaches and unauthorised access to company systems. Partner with an IT expert like One2Call with the knowledge and experience to keep your business safe. We offer a fully managed service called Total Care IT which includes a package of security software and central patch management on a simple and flexible per-device, per-month basis.

Get started today with One2Call’s Cyber Essentials Self-Assessment.

This post was updated in 2023 from a blog written in 2019. You can access the original blog here.

Contact Us

By clicking "submit", you agree to One2Call’s Terms of Use as detailed in their Privacy Policy (www.one2call.net/privacy). You consent to receive emails, phone calls and/or SMS messages from One2Call in relation to your enquiry or order, and for marketing purposes upon opt in. Message frequency depends on your activity. You may opt-out by texting "STOP" to any SMS sent from One2Call or by clicking “Unsubscribe” on any marketing email sent by One2Call. Message and data rates may apply for any SMS sent.


Woody World

Alex & Jordan provided the usual exceptional service that One2Call have always provided. Thanks, one and all.

Ackroyd & Abbott

The problems get sorted quickly as possible and the staff are friendly and helpful.

Alan Wooler, ProAct

Stuart who attended is a spot on guy who knows his stuff and is very polite.