Proton
Abonneren via RSS
password policy

Corporate password policy 101: Best practices for your business

Fergus O'Sullivan

deze pagina delen

Does your organization have a corporate password policy? This is the set of rules employees must abide by when creating new passwords and logging into their accounts. A good business makes every staff member responsible for cybersecurity, and a password policy is the best way to do this. Everyone should be responsible for protecting themselves, which protects your business.

The number of cyberattacks is on the rise. The FBI’s Internet Crime Complaint Center receives an average of 836,000 cybercrime complaints(nieuw venster) a year from businesses around the globe. In 2024, losses from cyberattacks reached $16.6 billion(nieuw venster), the highest figure in the last five years. In the UK, 43% of businesses (nieuw venster)reported experiencing a cybersecurity breach or attack between 2024 and 2025.

Password policies are essential because weak passwords are one of the most common vulnerabilities for businesses of all sizes. Since they’re the entry point for almost every account, they’re also one of the most critical points in your entire security infrastructure.

The first step to protect your business is to have strong passwords — and the best way to enforce that is by having a strong password policy for your team. In this article, we share some corporate password policy best practices you can use to keep your company safe.

Password policy tip 1: Use random passwords with a minimum length

Your password policy should be clear that all passwords must be fully randomized, which means they should be created using a password generator, not a human mind. Humans will generally create passwords that are easy to remember, rather than hard to figure out. As a result, they are vulnerable to brute-force attacks, in which attackers will use software to “guess” users’ passwords.

Randomization isn’t the only way to create strong passwords. Another way to increase password strength is to make a password longer, at least 16 characters, though more is better. The longer your password is, the more work it is for hackers to guess it.

Consider passphrases

Random passwords do have a downside — they’re very hard to remember. There are several ways around this issue, but the simplest is to choose an approach that combines password length and memorization. Passphrases are perfect for this.

We go into more detail in our article comparing passphrases and passwords, but in short, passphrases are long chains of easily remembered words. Think of an unusual string of words such as “mortician profusely decent easeful”. The length makes it hard to crack while still being easy to remember (or at least easier to remember than a string of random characters). A passphrase is great for any account, but its primary use case should be to unlock your password manager, which we’ll discuss later in this article.

Password policy tip 2: Never reuse passwords

The foundation of any good password policy is don’t reuse passwords. This means all your accounts should have unique passwords, and you should never recycle old passwords. You should generate a new, random password for every new account you create.

The reason for this is credential stuffing, where a hacker will take all the logins leaked during a large breach and try hundreds of sites to see if they will work there too. This practice has led to many high-profile data leaks. In 2024, Dropbox, LinkedIn, and X(nieuw venster) were all affected, and credential stuffing was used in some of the biggest data breaches this year, including Coinbase(nieuw venster), Bank of America, and Samsung(nieuw venster).

This type of attack is very common, but you can protect yourself from it by never reusing passwords and ensuring your team members don’t, either. Make sure your password policy states that employees must create unique passwords for each account and make it easy for them to do so.

Password policy tip 3: Enable two-factor authentication (2FA)

Passwords protect your accounts, and two-factor authentication (2FA) can protect your passwords. If your password is the first factor of authentication, the second factor is a temporary code or one-time password (OTP), usually generated by an app on your phone. We don’t recommend using codes sent using SMS, as they aren’t secure(nieuw venster). When you access an account, you must enter both the password and the code from the 2FA app. You can also use biometric logins that can’t be easily replicated, such as your fingerprint or facial scan, to log in to many online accounts.

Using 2FA means that even if somebody unauthorized were to get access to your password, they would also need the phone or other device with your 2FA app on it to gain entry to your account. 2FA is the best way to defend against phishing attacks. It’s a powerful tool, but sadly underutilized.

A good corporate password policy will enforce 2FA for all employees, creating an extra layer of security for all accounts. Whether they’re using a biometric login or a 2FA app, this additional measure is well worth it to protect sensitive information they may have access to.

Password policy tip 4: Use a password manager to ensure compliance

Though a good password policy may differ across different teams and companies, these elements are vital to the security of any organization:

  • Random passwords
  • Long passwords
  • Unique passwords
  • 2FA

But how can you manage all of this information?. Remembering long, random passwords is practically impossible — that’s their strength — and manually keeping track of them on paper isn’t secure. 

To make sure your team actually implements your password policy, they’ll need a password manager. A password manager creates, stores, and manages your passwords in one place. The easiest way to enforce a strong corporate password policy is to provide a password management tool that does it for you. 

A good password manager will not just store passwords but also have a built-in password generator to create random passwords of any length whenever you need them. It will also autofill passwords whenever you log in to a site where you have an account, making password managers not just vital to security, but a massive improvement to your workers’ digital quality of life.

Proton Pass and your corporate password policy

We developed Proton Pass as a password manager that can make it easy for your entire team to secure all their business accounts. Not only can it manage and generate passwords, it allows you to generate secure passphrases in case you need a password that’s easier to remember. It also autosuggests and autofills as you browse, making it easier for you to identify potentially malicious login screens (if Proton Pass won’t autofill your login, double-check the page URL to make sure it’s legitimate).

Proton Pass for Business is the perfect companion for any password policy you’re working on for your team, allowing your colleagues to safely share workplace login details using secure links. You can manage your users from the admin panel and grant or revoke access as needed. Team policies allow you to enforce 2FA, create rules for all new passwords created in the password generator, and control whether data can be shared outside your business network in just a few clicks.

Proton Pass also offers your organization security in other forms, like with our hide-my-email aliases, which enter a spoofed email address when creating a new online account, offering an extra layer of anonymity. With Pass Professional, users get access to Proton Sentinel, an advanced program that helps protect against account takeover attacks. 

Most importantly, though, Proton Pass for Business has 2FA support built-in, making it much easier for your team members and organization as a whole to adopt this vital security tool. Instead of having to deal with cumbersome apps, all your tools are in the same place. It offers the same security with far less hassle.

If you want to protect your business with a strong password policy, see which of our business plans for Proton Pass works for you today.

Beveilig uw team met Proton Pass
Gebruik Pass for Business

Gerelateerde artikelen

Investigative journalist Vegas Tenold explains the gear he uses to protect his privacy and stay safe.
en
  • Privacynieuws
How Vegas Tenold stays safe
Follow investigative journalist Vegas Tenold as he explains his gear and how it keeps him safe from surveillance as he works in the field.
Coinbase, the largest Bitcoin exchange in the US, suffered a data breach
en
  • Privacynieuws
  • Proton Wallet
Coinbase hack reveals true cost of data collection
Coinbase employees sold sensitive personal information to attackers, including government IDs and BTC transaction history. Proton Wallet is built to avoid these risks.
Whistleblower's whistle. Journalists must use secure channels to communicate with whistleblowers.
en
Whistleblowers risk everything to expose the truth. This guide helps journalists keep their sources safe using secure tools like Proton Mail, Signal, and SecureDrop.
An image showing a phone screen with a child icon and three icons with '17+' '8-12' and '3-5' to indicate age ratings
en
Parents can help their children develop healthy screen habits by learning about dark design patterns — Proton investigates how
en
Read what age experts say you should let your child use different platforms and how you can help set them up for success.
Roblox has been accused for years of exposing kids to inappropriate content and bad actors. We describe its safety features
en
  • Privacygidsen
Is Roblox safe for kids?
Roblox has suffered scandals over inappropriate content. We share what you need to know and what you can do to use it more safely.