Top 8 Password Policy Recommendations for 2023

Passwords are the first line of defense against cyber threats, and it is essential to have a strong password policy in place to protect your organization’s sensitive information. According to a report from Verizon, around 81% of hacking breaches experienced by companies are caused by weak or stolen passwords. Maintaining password policy best practices in your company is essential to help mitigate the risks.

A recent report by Keeper Security highlights the concerning practices of employees when it comes to password security. The report found that many employees use weak or easily guessed passwords, with 31% using their child’s name or birthday, 34% using their spouse or partner’s name or birthday, 37% using the name of their employer, and 44% reuse passwords across both work-related and personal accounts.

Additionally, the report found that employees are not as security conscious as they should be when it comes to enterprise password security. A significant number of employees admitted to writing passwords down on sticky notes (57%), saving passwords on their phones (55%), saving passwords on their computers (51%), and saving passwords to the Cloud (49%). Furthermore, 62% of employees share their passwords insecurely with unauthorized parties.

These findings emphasize the importance of implementing a robust password policy and educating employees on proper password practices to ensure the security of sensitive information within an organization.

Here are the top 8 password policy recommendations to help keep your organization secure:

1. Use complex passwords: As computers continue to advance with faster processing speeds, brute-force attacks, where hackers test a vast number of character combinations to find the correct password, are becoming more successful. To combat this threat, it is recommended that companies implement a password policy that requires the use of long and complex passwords to access systems. This is considered one of the most secure practices when creating passwords. According to Scientific American, a 12-character password is 62 trillion times more challenging for cybercriminals to crack than a 6-character one. The strongest password is a 16-character one derived from a set of 200 characters.
2. Use unique passwords: Using unique passwords for each account is crucial to protect against potential cyber threats. However, many people still struggle with managing their passwords effectively. A survey conducted by Google Online Security found that 52% of people use the same passwords for all their accounts. This can be a significant security risk as if a password is compromised on one platform, it puts the user at risk of being breached on all other accounts using the same password. The problem of password breaches is significant, as more than 555 million passwords have been published on the dark web since late 2017. This highlights the importance of creating and managing unique passwords for all accounts to ensure the safety of personal and sensitive information.
3. Use a password manager: A password manager can generate and store complex and unique passwords, making it easier for employees to use them.
4. Use multi-factor authentication: Two-factor authentication is a highly effective method for strengthening password security. By requiring a second form of verification, such as an SMS message containing a one-time code, in addition to a password, it becomes much more challenging for hackers to gain access to systems. This is because they would also need to have possession of the device where the authentication message is sent. According to Microsoft, users who have multi-factor authentication enabled on their accounts are able to block 99.9% of automated attacks.
5. Train employees on the company’s password policy: Effective communication of a company’s password policy is crucial to ensure that the information reaches all employees. To ensure retention, it is recommended to communicate the policy through multiple channels and in various formats, such as email, video, and in-person training. This approach increases the chances that all employees receive and understand the information.
6. Monitor for suspicious activity: Monitor employee accounts for suspicious activity and take action if necessary.
7. Limit access to sensitive information: Limit access to sensitive information to only those who need it.
8. Consider eliminating all passwords:  The World Economic Forum (WEF) suggests that the COVID-19 pandemic has increased the need for organizations to abandon the use of passwords altogether. As new technologies such as biometrics, device attributes, and behavioral analytics have been developed, it is now possible to validate someone’s identity without the need for a password. The WEF claims that moving towards a “passwordless” system will significantly enhance security within companies and eliminate the risk of compromised credentials.

It is important to note that these are just examples, and the specific needs of the organization should be considered when creating a password policy. Additionally, organizations should regularly review their password policy and update it as needed. By implementing these password policy recommendations, your organization can significantly reduce the risk of a security breach and protect sensitive information.