How to Create a Secure Password Policy for Your Staff - Integrity Technologies
Free Consultation

How to Create a Secure Password Policy for Your Staff

Summary:

  • Long, unique passphrases plus multi-factor authentication stop many attacks
  • Screen new passwords against known breached lists and limit login attempts
  • A managed service provider can enforce and monitor policy across all systems

Introduction:
This guide shows small businesses how to write and enforce a modern password policy based on current federal guidance. Scope: staff passwords for business accounts, not consumer sites.

Why it matters for small firms

Stolen passwords are a leading way attackers break in. In the 2024 Verizon Data Breach Investigations Report, the use of stolen credentials was the top initial action in breaches at 24 percent. (Verizon)
Business Email Compromise, which often begins with a guessed or phished password, caused more than 2.7 billion dollars in adjusted losses reported to the FBI in 2024. (Internet Crime Complaint Center)

A written, enforced password policy reduces these risks and supports common frameworks like NIST Cybersecurity Framework 2.0, which calls out identity and access control as a core “Protect” function. (NIST Publications)

What attackers do and why it works

Attackers reuse leaked passwords from other breaches, try common or short passwords, and automate rapid guessing. If your systems allow weak, reused, or already-breached passwords, and do not limit attempts, attackers often get in. NIST’s authentication guidance addresses these weaknesses with rules for password length, breached-password screening, and rate limiting. (NIST Publications)

How to fix it this week

  1. Set minimum length and encourage passphrases
    Require at least 14 to 16 characters for staff passwords where your platform allows it. NIST allows a minimum of 8 but emphasizes longer passwords and permitting up to at least 64 characters. Use plain-language passphrases that are easy to remember and hard to guess. (NIST Publications)
  2. Ban known weak and breached passwords
    When users create or change passwords, automatically compare them against lists of commonly used or compromised values and reject matches. This is a direct NIST requirement. You can implement this with enterprise directory or single sign-on tools. (NIST Pages)
  3. Turn on multi-factor authentication (MFA) everywhere possible
    Require MFA for email, payroll, finance, remote access, and admin accounts. CISA says MFA can block many common attacks. The FTC Safeguards Rule also requires MFA for covered financial institutions accessing customer information. (CISA)
  4. Limit login attempts and slow guessing
    Enable account lockout or throttling according to NIST’s rate-limiting guidance so automated guessing is ineffective. Avoid settings that create denial-of-service issues, but do slow repeated failures. (NIST Pages)
  5. Stop routine password expiration
    Do not force changes every 60 to 90 days. NIST advises against arbitrary rotation. Require a reset only if there is evidence of compromise. (NIST Pages)
  6. Allow paste and avoid composition tricks
    Permit copy-and-paste to support password managers. Do not require complex character mixes that push users toward predictable patterns. NIST recommends removing those composition rules. (NIST Pages)
  7. Provide and promote a password manager
    Give staff a business-grade password manager so every site gets a unique passphrase. NIST’s consumer guidance reinforces using long passphrases and checking for compromise. (NIST)
  8. Train and test
    Teach staff to never reuse work passwords on personal sites and to use MFA prompts correctly. The FTC’s small business guidance also advises limiting unsuccessful login attempts and not reusing passwords. (Federal Trade Commission)

Costs, effort, and common pitfalls

Costs

  • Password manager: typical business licenses are low per user per month.
  • MFA: most cloud suites include app-based MFA at no extra cost.
  • Directory add-ons for breached-password checks may require licensing.

Effort

  • One afternoon to draft the policy and update cloud directory settings.
  • One hour to deploy a password manager company-wide and enforce MFA registration.
  • Ongoing review during onboarding and offboarding.

Common pitfalls

  • Keeping legacy “90-day change” rules that weaken security and frustrate staff. (NIST Pages)
  • Not enabling rate limiting, which leaves accounts open to brute force. (NIST Pages)
  • Allowing shared accounts without unique user IDs, which conflicts with identity management expectations in NIST CSF 2.0. (NIST Publications)

Compliance notes (if relevant)

  • NIST CSF 2.0 Protect function covers identity management and access control and aligns naturally with strong password and MFA policies. (NIST Publications)
  • FTC Safeguards Rule requires MFA for access to customer information in covered financial institutions, which includes many non-bank businesses like auto dealers, mortgage brokers, and tax preparers. (Federal Trade Commission)

FAQs

How long should passwords be?
Set at least 14 to 16 characters when platforms allow it. NIST requires a minimum of 8 but favors longer passphrases and support for up to at least 64. (NIST Publications)

Should we change passwords every 90 days?
No. Change only when there is evidence of compromise, per NIST. (NIST Pages)

What if MFA is not available on a vendor app?
Require the longest passphrase the app allows, enable rate limiting, and isolate the account behind single sign-on if possible. NIST requires rate limiting and screening against weak or breached values where feasible. (NIST Pages)

Call to action

Need help turning this into settings that actually stick? A managed service provider can implement MFA, password length rules, breached-password screening, and rate limiting across Microsoft 365, Google Workspace, and line-of-business apps. Get a short consultation and a security assessment to see where your policy is weak and how to enforce it without slowing your team.

Sources

  • NIST SP 800-63B Revision 4, Digital Identity Guidelines: Authentication and Lifecycle Management, July 2025. (NIST Publications)
  • NIST, “How Do I Create a Good Password?”, April 28, 2025. (NIST)
  • Verizon, 2024 Data Breach Investigations Report, May 2024. (Verizon)
  • FBI IC3, 2024 Internet Crime Report materials and brochure, 2025. (Internet Crime Complaint Center)
  • CISA, “Require Multifactor Authentication,” 2024. (CISA)
  • FTC, “Cybersecurity for Small Business,” 2021. (Federal Trade Commission)
  • NIST Cybersecurity Framework 2.0, February 2024. (NIST Publications)
  • Microsoft, “Password policy recommendations,” 2024. (Microsoft Learn)