What elements are crucial to include in a password policy? I'm putting one together and thought I would tap into the collective power of this group to see if someone out there has a good one they'd like to share.

Peer Insights
787 viewscircle icon4 Comments
Sort by:
Senior Information Security Manager in Software2 years ago

I'll let Bruce Schneier do the talking here.  See https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Lightbulb on1
Deputy CISO2 years ago

While designing this policy, consider the following aspects ( i may be stating the obvious here)
> your regulators and customers like to "see somethings" covered in a password policy (or a passphrase policy). Pl factor those
> what does your management direction on password/ less-password (like Windows Hello ) . factor that. The password/passphrase must tie into your org's overall Identify management direction or approaches to ZeroTrust type approaches.

> who is it for 
- standard user (who may have more relaxed regime)
- privileged  user (more stringent or complex + MFA)
- service accounts 
- shared accounts (like a team mailbox)
- non-human IOT or break glass accounts

The regular elements to include
- length (8/10 for standard, 12/15 for privileged & service, 4/6 PINs for IOTs?)
- is pin/passphase an option you want?
- complexity (uppercase,lowercase, spl char)
- controls against use of common dictionary words and running numbers (like123)

Director in Manufacturing2 years ago

In addition to the rules mentioned

No reuse of passwords
60 days of duration
No repeating characters
At least one capital one lowercase one number one special character

Chief Information Security Officer in Healthcare and Biotech2 years ago

1. Alphanumeric 
2. More than 10 charecters
3. Age should not be more than 30days.

Content you might like

Can someone provide feedback on the Midpoint IGA product from Evolveum? Feedback about the product and engineering would be helpful..

I’ve been digging into ways to strengthen Zero Trust on IBM i systems, especially as more orgs shift toward hybrid cloud. I’m curious, how are others approaching threat detection around shadow AI use and supplier exposure in these environments?

Does your organization leverage an Enterprise Architecture Solution/Tool for EA Practice?

Yes76%

No17%

We are in the process of selecting an EA tool7%

View Results

Do you believe that (RPA, Automation, and intelligent Automation), coupled with clear guidelines, robust process mapping, and effective monitoring and control capabilities, can serve as a key enabler for successfully integrating AI and GenAI into an organization's operations and strategies?

Strongly Agree32%

Agree60%

Disagree10%

Strongly Disagree1%

View Results

We are currently developing an Open Source (OS) Policy for our company. To guide us through this process, we are following several Gartner publications. However, we are also looking for real-world implementation cases. Do you know of any examples of OS Policy implementation that you could share with us?