Does your organization have a password policy? This is the set of rules employees must abide by when creating new passwords and logging into their accounts. A good business makes every staff member responsible for cybersecurity, and a password policy is the best way to do this. Everyone should be responsible for protecting themselves, which protects your business.
Password policies are essential for businesses these days because the number of attacks is on the rise(new window), and the damage they can cause is growing exponentially. One of the most common vulnerabilities for businesses of all sizes is their passwords. Since they’re the entry point for almost every account, they’re also one of the most critical points in your entire security infrastructure.
The first step to protect your business is to have strong passwords, and the best way to enforce that is by having a strong password policy for your team. In this article we share some password policy best practices you can use to keep your company safe.
- Password policy tip 1: Use random passwords with a minimum length
- Password policy tip 2: Never reuse passwords
- Password policy tip 3: Enable 2FA
- Password policy tip 4: Use a password manager to ensure compliance
Password policy tip 1: Use random passwords with a minimum length
Your password policy should be clear that all passwords must be fully randomized — so created by using a password generator, not a human mind. Humans will generally create passwords that are easy to remember, rather than made to withstand attack. As a result, they are vulnerable to brute-force attacks, in which attackers will use software to “guess” users’ passwords.
Randomization isn’t the only way to create strong passwords. Another way to increase password strength is to simply make a password longer, at least 16 or so characters, though more is better. This is again to make things harder for hackers, as the longer the password, the more work it is for them to guess it.
A note on passphrases
Random passwords do have a downside — they’re very hard to remember. There are several ways around this issue, but the simplest is to choose an approach that combines password length and memorization. Passphrases are perfect for this.
We go into more detail in our article comparing passphrases vs. passwords, but in short, passphrases are long chains of easily remembered words. Think of an unusual string of words such as “mortician profusely decent easeful”. The length makes it hard to crack while still being easy to remember (or at least easier to remember than a string of random characters). A passphrase is great for any account, but the primary use case is to unlock your password manager, which we’ll discuss more later in this article.
Password policy tip 2: Never reuse passwords
Another important thing that should be part of any password policy is that you should never reuse passwords. This means all your accounts should have their own unique passwords, and you should never recycle old passwords. For every new account you create, you need to generate a new, random password.
The reason for this is something called credential stuffing, where a hacker will take all the logins leaked during a large breach and try hundreds of sites to see if they will work there, too. It’s a serious risk, too, implicated in high-profile data leaks. In 2024, Dropbox, LinkedIn, and X (new window)(formerly known as Twitter) have all been affected, with 26 billion records being leaked.
This type of attack is very common, but you can protect yourself from it by never reusing passwords and ensuring your team members don’t, either. Make sure your password policy states that employees must create unique passwords for each account and make it easy for them to do so.
Password policy tip 3: Enable two-factor authentication (2FA)
If passwords protect your accounts, two-factor authentication, better known as 2FA, can protect your passwords. If your password is the first factor, the second factor is a temporary code, usually generated by an app on your phone (there are variants using SMS, but they aren’t very secure(new window)). When you access an account, you must enter both the password and the code from the 2FA app. You can also use biometric logins, which are attributes such as your fingerprint or facial scan that can’t be easily replicated, to log in to many online accounts.
Using 2FA means that even if somebody unauthorized were to get access to your password, they would also need the phone or other device with your 2FA app on it to gain entry to your account. 2FA is the best way to defend against phishing attacks. It’s a powerful tool, but sadly underutilized.
A good corporate password policy will enforce 2FA for all employees, creating an extra layer of security for all accounts. Whether they’re using a biometric login or a 2FA app, this additional measure is well worth it to protect sensitive information they may have access to.
Password policy tip 4: Use a password manager to ensure compliance
Though a good password policy may differ across different teams and companies, these elements are vital to the security of any organization:
- Random passwords
- Long passwords
- Unique passwords
- 2FA
Of course, this brings to mind another issue, namely how you’re going to manage it all. Remembering long, random passwords is practically impossible — that’s their strength, after all — and manually keeping track of them on paper is not secure.
To make sure your team actually implements your password policy, they’ll need a password manager, a piece of software that can store your passwords for you. The easiest way to enforce a strong corporate password policy is to provide a password management tool that does it for you.
A good password manager will not just store passwords but also have a built-in password generator to create random passwords of any length whenever you need them. It will also autofill passwords whenever you log in to a site where you have an account, making password managers not just vital to security, but a massive improvement to worker’s digital quality of life.
Proton Pass and your password policy
We developed Proton Pass as a password manager that can make it easy for your entire team to secure all their business accounts. Not only can it manage and generate passwords, it also gives you the option to generate secure passphrases in case you need a password that’s easier to remember. It also autosuggests and autofills as you browse, making it easier for you to identify potentially malicious login screens (if Proton Pass won’t autofill your login, double check the URL of the page to make sure it’s legitimate). .
Proton Pass for Business is the perfect companion for any password policy you’re working on for your team, allowing your colleagues to safely share workplace login details using secure links. And you can manage your users from the admin panel, so you can grant or revoke access as needed or enforce 2FA.
Proton Pass also offers your organization security in other forms, like through our hide-my-email aliases, which enter a spoofed email address when creating a new online account, offering an extra layer of anonymity. With Pass Professional, users get access to Proton Sentinel, an advanced program that helps protect against account takeover attacks.
Most importantly, though, Proton Pass for Business has 2FA support built-in, making it much easier for your team members and organization as a whole to adopt this vital security tool. Instead of having to deal with cumbersome apps, all your tools are in the same place. It offers the same security with far less hassle.
If our features spark your interest, see which of our business plans for Proton Pass works for you today.