Skip to content
English
Incident Support Customer Portal
Contact Us
  • There are no suggestions because the search field is empty.

What is the best Password Policy?

A password policy is a set of rules designed to ensure users create and maintain strong, secure passwords to prevent unauthorized access.

A good policy balances security and usability while reducing the risk of attacks like brute force, credential stuffing, and phishing.

🔹 Key Elements of a Strong Password Policy

1️⃣ Require Long & Complex Passwords

✅ Minimum 12-16 characters (longer is better).
✅ Use a mix of uppercase & lowercase letters, numbers, and symbols.
✅ Example: p@Ssw0rD!8&2xY$

🚫 Avoid:
❌ Simple passwords (e.g., password123, qwerty, 123456).
❌ Personal information (e.g., names, birthdays, addresses).

2️⃣ Enforce Multi-Factor Authentication (MFA)

✅ Require MFA for all accounts (e.g., SMS codes, authenticator apps, biometric login).
✅ Even if a password is stolen, MFA adds an extra layer of security.

3️⃣ Prevent Password Reuse & History

✅ Users cannot reuse old passwords (e.g., last 5-10 passwords).
✅ Prevent using the same password across multiple accounts.
Use a password manager to generate and store unique passwords.

4️⃣ Implement Account Lockout & Rate Limiting

✅ Lock accounts after 5-10 failed login attempts to stop brute force attacks.
✅ Introduce progressive delays (e.g., increasing wait time after each failed attempt).

5️⃣ Enable Automatic Password Expiry (Optional and not a recommendation from Cyber21)

🔹 For high-security environments (e.g., banking, healthcare, admin accounts), require password changes every 90-180 days.
🔹 Avoid frequent mandatory changes, as users tend to create weaker passwords.
🔹 Better alternative: Require password changes only if a breach is suspected.

6️⃣ Use Secure Password Storage (For Organizations)

✅ Store passwords using strong hashing algorithms (e.g., bcrypt, Argon2, PBKDF2).
Never store plaintext passwords—use salted and hashed storage.

7️⃣ Educate Users on Phishing & Social Engineering

✅ Train employees and users to recognize phishing emails and scams.
✅ Encourage users not to share passwords via email or messages.

🔹 Example of a Strong Password Policy

  • Minimum 12-16 characters.
  • Must contain uppercase, lowercase, numbers, and symbols.
  • No reuse of the last 5-10 passwords.
  • Account locks after 5 failed attempts for 15 minutes.
  • Mandatory MFA for all logins.
  • Users are encouraged to use password managers.
  • Passwords must not include personal details or common words.