Skip to content
Home » IT Policies » Password Policy

Password Policy

1. Purpose

The purpose of this Password Policy is to establish requirements for the creation, use, protection, management, and maintenance of passwords used to access organizational systems, applications, networks, devices, and information assets.

Passwords are a critical component of authentication and access control. Weak, reused, shared, or compromised passwords significantly increase the risk of unauthorized access, data breaches, and other security incidents. This policy establishes minimum requirements for password security to protect organizational resources and support compliance with applicable legal, regulatory, and contractual obligations.

2. Scope

This policy applies to:

  • All employees
  • Contractors
  • Consultants
  • Temporary personnel
  • Interns
  • Third-party personnel with authorized access to organizational systems

This policy applies to all passwords and password-based authentication mechanisms used to access:

  • Workstations
  • Servers
  • Applications
  • Databases
  • Cloud services
  • Network devices
  • Mobile devices
  • Administrative systems
  • Remote access systems
  • Organizational information assets

This policy applies to organization-owned, managed, and authorized systems.

3. Policy Statement

The organization shall implement password controls designed to reduce the risk of unauthorized access and credential compromise.

Passwords shall be created, stored, transmitted, and managed in a secure manner consistent with industry best practices and organizational security requirements.

Users are responsible for protecting their passwords and ensuring compliance with this policy.

4. Objectives

The objectives of this policy are to:

  • Protect organizational systems and information from unauthorized access.
  • Strengthen authentication security.
  • Reduce risks associated with compromised credentials.
  • Support secure identity and access management practices.
  • Promote secure password management habits.
  • Support compliance requirements.
  • Improve accountability and access control.
  • Reduce password-related security incidents.

5. Definitions

Password

A secret string of characters used to authenticate a user, device, service, or system.

Passphrase

A longer sequence of words or characters used for authentication that provides enhanced security and memorability.

Multi-Factor Authentication (MFA)

An authentication method requiring two or more independent forms of verification.

Password Manager

An approved application used to securely generate, store, and manage passwords.

Privileged Account

An account with elevated permissions that can modify systems, security settings, or administrative functions.

Credential Compromise

Any event in which authentication credentials are suspected or confirmed to have been exposed, disclosed, stolen, or misused.

6. Roles and Responsibilities

Executive Management

Responsible for:

  • Supporting password security initiatives.
  • Providing resources necessary for implementation.
  • Reviewing significant password-related risks.

Information Security Team

Responsible for:

  • Establishing password requirements.
  • Monitoring compliance.
  • Investigating credential-related incidents.
  • Maintaining password security standards.

Information Technology Team

Responsible for:

  • Implementing password controls.
  • Maintaining authentication systems.
  • Supporting password reset processes.
  • Enforcing technical requirements.

Managers and Supervisors

Responsible for:

  • Ensuring personnel comply with password requirements.
  • Reporting suspected credential misuse.
  • Supporting enforcement activities.

Users

Responsible for:

  • Creating strong passwords.
  • Protecting passwords from disclosure.
  • Reporting suspected compromise immediately.
  • Following organizational password requirements.

7. Password Requirements

Passwords shall meet the following minimum requirements unless stronger controls are implemented:

  • Minimum length of twelve (12) characters.
  • Longer passwords or passphrases are strongly encouraged.
  • Passwords shall be difficult to guess.
  • Passwords shall not contain easily obtainable personal information.
  • Passwords shall not be based on predictable patterns.

Where systems support passphrases, passphrases should be used instead of short passwords.

8. Prohibited Password Practices

Users shall not:

  • Share passwords with others.
  • Reuse passwords across organizational and personal accounts.
  • Write passwords in unsecured locations.
  • Store passwords in plain text.
  • Send passwords through unencrypted communications.
  • Use default vendor passwords.
  • Use easily guessed passwords.
  • Use passwords previously identified as compromised.

Violation of these requirements may result in disciplinary action.

9. Password Uniqueness

Passwords used for organizational systems shall be unique.

Passwords used for business accounts shall not be reused for:

  • Personal email accounts
  • Social media accounts
  • Personal banking accounts
  • Shopping websites
  • External services unrelated to work

Unique passwords reduce the impact of credential compromise.

10. Password Storage Requirements

Passwords shall be stored securely using approved security mechanisms.

Where technically feasible:

  • Passwords shall be hashed.
  • Passwords shall be salted.
  • Passwords shall not be stored in plain text.
  • Access to stored credentials shall be restricted.

Credential storage methods shall comply with organizational security standards.

11. Password Transmission Requirements

Passwords shall be transmitted only through secure and encrypted mechanisms.

Passwords shall not be transmitted using:

  • Unsecured email
  • Unencrypted messaging systems
  • Public communication channels
  • Shared documents without protection

Secure password delivery mechanisms shall be used when necessary.

12. Multi-Factor Authentication

Multi-factor authentication shall be required where supported for:

  • Administrative access
  • Remote access
  • Cloud applications
  • Sensitive systems
  • High-risk transactions

MFA shall supplement, not replace, strong password practices.

13. Privileged Account Passwords

Privileged accounts shall be subject to enhanced password controls.

Requirements may include:

  • Longer password lengths
  • MFA enforcement
  • Password vaulting
  • Increased monitoring
  • Additional approval requirements

Privileged credentials shall receive additional protection due to elevated risk.

14. Service Account Credentials

Service account passwords shall:

  • Be managed securely.
  • Be protected from unauthorized access.
  • Follow strong password requirements.
  • Be changed when compromise is suspected.
  • Be documented and assigned ownership.

Service account usage shall be reviewed periodically.

15. Password Managers

The use of approved password managers is encouraged.

Password managers may be used to:

  • Generate strong passwords.
  • Store credentials securely.
  • Reduce password reuse.
  • Improve credential management practices.

Only approved password management solutions shall be used for organizational credentials.

16. Password Changes

Passwords shall be changed:

  • When compromise is suspected.
  • When compromise is confirmed.
  • Following unauthorized disclosure.
  • Following security incidents involving credentials.
  • When directed by Information Security.

Routine password expiration is not required unless supported by risk assessments, regulatory requirements, or system limitations.

17. Credential Compromise

Users shall immediately report:

  • Suspected password compromise.
  • Confirmed credential theft.
  • Phishing incidents involving credentials.
  • Unauthorized account activity.

Compromised credentials shall be reset promptly.

Additional security measures may be implemented following compromise.

18. Account Lockout Controls

Authentication systems shall implement controls designed to protect against password guessing and brute-force attacks.

Controls may include:

  • Account lockouts
  • Rate limiting
  • Authentication throttling
  • Risk-based authentication
  • Monitoring and alerting

Security controls shall balance protection and usability requirements.

19. Default Passwords

Default vendor-supplied passwords shall be changed before systems are placed into production whenever technically feasible.

Default passwords shall never be used as permanent credentials.

Systems unable to support password changes shall be documented and risk assessed.

20. Password Reset Procedures

Password reset processes shall include identity verification procedures.

Password resets shall:

  • Verify user identity.
  • Be documented where appropriate.
  • Follow approved procedures.
  • Protect against unauthorized access.

Temporary passwords shall be changed promptly after issuance.

21. Monitoring and Logging

Password-related security events shall be logged and monitored.

Events may include:

  • Failed login attempts
  • Password changes
  • Password resets
  • Account lockouts
  • Administrative password actions

Logs shall be protected according to organizational requirements.

22. Security Awareness

Personnel shall receive periodic training regarding:

  • Password security best practices
  • Credential theft risks
  • Phishing awareness
  • Password manager usage
  • Authentication requirements

Awareness activities shall support secure credential management.

23. Compliance and Auditing

Compliance with this policy shall be verified through:

  • Internal audits
  • Security assessments
  • Access control reviews
  • Compliance evaluations
  • Authentication system reviews

Findings shall be documented and addressed through corrective action processes.

24. Exceptions

Exceptions to this policy must:

  • Be documented
  • Include business justification
  • Include risk assessment
  • Identify compensating controls
  • Be approved by management
  • Be reviewed periodically

Temporary exceptions shall include expiration dates.

25. Enforcement

Violations of this policy may result in:

  • Removal of access privileges
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

26. Review and Maintenance

This policy shall be reviewed:

  • At least annually
  • Following significant security incidents
  • Following regulatory changes
  • Following authentication technology changes
  • Following updates to organizational security requirements

Updates shall be approved by executive management.

27. Related Policies

  • Information Security Policy
  • Identity and Access Management Policy
  • Access Control Policy
  • Multi-Factor Authentication Policy
  • Privileged Access Management Policy
  • Security Awareness and Training Policy
  • Security Monitoring and Logging Policy

28. Policy Approval

Policy Owner: Chief Information Security Officer (CISO) or Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0