Creating an Effective Business Password Policy 

Passwords are unavoidable in the workplace. We use them to unlock our workstations, connect to the office Wi-Fi, log in to corporate email, access all sorts of apps, websites, databases, and so on. Yet, as standard as they are, it's easy to underestimate the importance of passwords to a business' security. Often, a password is all that stands between a bad actor - someone who poses a cyber threat - and the information or money they want to steal. As a result, a password policy is a must-have for every business in our work-from-anywhere world.  But what exactly is a password policy? And how can you ensure your company has an effective password policy that enforces best practices?

What is a password policy?

A password policy sets guidelines and rules that employees, vendors, and contractors must follow when creating, using, storing, and sharing passwords at an organization. An IT or HR team typically documents a password policy in the employee handbook or cybersecurity training materials. In addition, IT generally informs employees of password policies when they join and perhaps during annual cybersecurity training. For example, a password policy may stipulate that passwords cannot be written down or sent electronically, even to other employees. A policy may indicate when employees must change passwords (e.g., every 90 days) and when IT should update passwords following employee termination or other events. Policies may specify minimum character requirements for passwords and clarify how remote users can safely access corporate networks and resources off-site, such as with a VPN.  In short, a password policy clarifies how users must handle passwords and the consequences for improper handling of credentials (intentional or accidental).

Why a password policy matters

Passwords remain a cornerstone to an organization's protection from cyber threats. Compromised passwords continue to be a leading cause of data breaches, with 80% of hacking-related data breaches tied to passwords, according to the 2020 Verizon DBIR. As a result, an organization's attack surface can be pretty significant given the number of passwords the typical employee uses daily. A password policy is crucial because it educates employees on cybersecurity best practices and strong password hygiene. In addition, with a password policy in place, companies can strengthen their cyber defenses.

Best practices for an effective password policy

Even though a company may develop a well-written password policy, the true challenge is building an effective password policy. That means not only stating the policy but also putting its requirements into action. Without appropriate technology to enforce and monitor password policy requirements, companies will continue to experience gaps in their password security. Those gaps can - and do - lead to successful cyber attacks. An effective password policy...

• is written clearly, avoiding tech and legal jargon so all users can understand it.
• is easily accessible for reference, like in an employee handbook or company intranet.
• is built on proven best practices like using a password manager and two-factor authentication, rather than "security theater" like too-frequent password rotation or security questions.
• uses technology and behind-the-scenes management to build good password habits into daily activities, instead of relying on users (who are notoriously bad at creating passwords) to do it themselves.
• offers a centralized way for IT to manage and oversee password security in the organization.
• evolves, with IT actively monitoring for potential issues and updating requirements as threats and attacks change.
• is regularly reinforced through training.

Enforcing password best practices with LastPass Business

Many companies have a written password policy. The challenge is putting the policy into action. Going from written policy to implementing it to standardizing it across all entry points can be tricky.  If you don't yet have a written policy, start there:

• Get clear on the password best practices required of all company users.
• Document those requirements and communicate them.
• Ensure company leadership approves of and promotes the password policy.

From there, create a plan for integrating the password policy into existing technology. For example, are you using Windows Active Directory? Or maybe LDAP? Or some other user directory or basic SSO service to grant employee access? Enable settings in those technologies that reflect your company's password policy. Next, implement a business password manager like LastPass Business to centralize oversight of password security and tie password requirements to all access points in the company. With over 100 customizable policies, LastPass Business gives IT admins the tools needed to control and enforce password best practices. A password policy is no longer just a written guideline; a corporate password manager implements the policy behind the scenes so that employees have no choice but to create and use strong passwords for every login.  Essentially, LastPass Business enables IT to build an effective password policy that connects employees more quickly while strengthening the protection of company assets from cyber attacks. Learn more about how LastPass Business can help your business create and enforce an effective password policy.