What a password policy is for
A password policy defines how your organisation creates, stores, rotates and protects authentication secrets. Auditors ask for it because weak credentials remain the single most common entry point for attackers. A good policy is short, enforceable and aligned with current guidance — not a wish-list nobody follows.
What to include
- Scope — which accounts and systems it covers (employees, admins, service accounts, third parties).
- Length and complexity — modern guidance (NIST SP 800-63B) favours length over forced complexity. Require a minimum length (e.g. 12+ characters) and screen against breached-password lists rather than mandating frequent arbitrary changes.
- Multi-factor authentication — where MFA is mandatory (remote access, admin consoles, email). MFA is the highest-impact control you can state here.
- Storage — passwords hashed with a strong algorithm; secrets in a manager, never in plaintext, code or tickets.
- Rotation — change on suspicion of compromise, on offboarding, and for shared/service accounts. Avoid blanket 90-day rotation, which NIST now discourages.
- Privileged accounts — stronger requirements for admins (longer length, hardware MFA, vaulting).
- Enforcement — what happens on violation, and who owns reviews.
Common mistakes
- Mandating frequent rotation, which pushes users to predictable patterns.
- Copying a 2010-era template that conflicts with current NIST guidance.
- Writing rules you can't technically enforce — auditors test what you claim.
Framework alignment
A password policy maps to ISO 27001:2022 Annex A control 5.17 (authentication information), the SOC 2 logical access criteria, and NIST CSF Protect (PR.AA). One document can satisfy all three.
Generate it in minutes
PolicyForge produces a password policy tailored to your context, aligned with these controls, with an approval block and versioning. See a sample PDF or generate yours free.