Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!


6 min read

5 Password Policy Guidelines for Small to Mid-Size Businesses

5 password policies

Company password policies may not be exciting (and you likely find yourself frustrated with them at times) but they’re an important piece to keeping company data out of the wrong hands.

It seems like a simple step, yet strong password policies and best practices are a huge issue, specifically in the small to mid-size business (SMB) market. Verizon’s 2020 Data Breach Investigations Report found that 80% of breaches from hacking involved lost, stolen, or weak passwords.

Breaches into large companies are the ones that make the news, but cyber criminals are more focused on the small and mid-size business market than ever. This is mainly attributed to the fact that many small to mid-size businesses do not have or enforce company password policies, making them easy targets.

Cybercriminals are not all hacking masterminds – they can easily purchase software that tries thousands of passwords a minute. Their goal is to get into your network. Once they’re in, they may hold your data for ransom, use it for extortion, or use that access to get to one of your customers or vendors.

Password policies and best practices are simple (yet powerful) security measures that can help prevent a successful cyberattack on your business.

At VC3, we’ve helped countless businesses create and enforce their password policy. We have strict guidelines and protocols in place to ensure the integrity of our client’s passwords and security.

Let's take a look.

Company Password Policy Best Practices

The first step in an effective company-wide password policy is implementing basic best practices on the IT side.

Here are five password policy best practices to implement for your company.

  1. Standardize Password Length and Combinations
  2. Limit Password Attempts and Implement a Lock-Out Policy
  3. Change Passwords Every 90 Days
  4. Enforce Password History and Minimum Age Requirements
  5. Use Multi-Factor Authentication

Let's dive in.

1. Standardize Password Length and Combinations

What makes a good password?

According to the latest NIST password guidance, length is more important than complexity. Passwords should use a minimum of eight characters, and systems should allow for passwords to be at least 64 characters. The longer the password, the harder it is to crack.

Ensure that your staff creates more secure passwords by using upper and lower-case letters, numbers, and special characters. Phrases with spacing and punctuation marks are an excellent option as they are more challenging for attackers to figure out.

2. Limit Password Attempts and Implement a Lock-Out Policy

As previously mentioned, cybercriminals use software that can try thousands of passwords in seconds. This is often referred to as a brute force attack.

Limiting the number of times a password can be attempted before the system locks that user out for a period of time reduces the odds that this type of attack will be successful.

3. Change Passwords Every 90 days

Your IT administrator or outsourced IT provider can set up your system to require a password change every 90 days. Doing so will ensure that it won’t be used for long if a password is compromised.

4. Enforce Password History and Minimum Age Requirements

Enforcing password history requirements ensures that a set number of unique passwords are used before an old password can be used again. Best practices suggest configuring password history to the last 24 passwords.

If you're going to implement this, it's also recommended that you set a minimum password age. This makes sure people don't change their password continuously in one day so they can keep using the same password they used previously. 

5. Use Multi-Factor Authentication

Many systems and websites offer a function to send you a one-time code after your password has been entered correctly. This is called multi-factor authentication (MFA). The unique security code must be entered to gain access after your password is accepted.

multi-factor authentication

So even if a password were compromised, the cybercriminal would be stopped in their tracks without that secondary temporary code. Unless your MFA method is email and they have your email password, in which case they might have already intercepted the temporary password.

We recommend using an MFA tool, like Watchguard AuthPoint, which sends push notifications with the code to your phone or uses a hardware token.

Password Best Practices and Guidelines for Employees

Once your company’s password policy is set, it’s time to train employees to create strong passwords and develop good password habits. It’s also important to stress that even though some of these might seem inconvenient, they’re vital to the safety of your data.

Here are the four basic password guidelines to share with your team:

  1. Create a Strong Password
  2. Never Reuse a Password or Use a Variation of an Old Password
  3. Keep Passwords to Yourself
  4. Log Out of Portals and Keep Your Computer Locked

1. Create a Strong Password

  • Passwords should be at least 8 characters in length (or whatever your company’s password policy requires). Length is more important than complexity when it comes to a secure password.
  • Ensure that your password uses upper and lower-case letters, numbers, and special characters. Even though password length is more important than complexity, using this combination of characters makes it more secure.
  • Phrases with spacing and punctuation marks are also an excellent option as they are more challenging for attackers to figure out.

Example Phrase Password: This pr0tocoL could 5ave my COMP@NY!!

  • Don’t use common words like “balloons” or “baseball.” Words found in the dictionary make guessing much easier for a cybercriminal.
  • Avoid commonly used phrases (or phrases you say a lot.) Famous catchphrases are easy to guess and can easily be found on the internet.
  • Never use your name, phone number, or email address.
  • Don’t use personal information that could easily be found on social media, like your birthday, favorite band, pet’s name, or child’s name.
  • Don’t use creative ways to write the word “password.”

Examples of Bad Passwords: “PA$$w()rd”  or “thisismypassword”

2. Never Reuse a Password or Use a Variation of an Old Password

  • Never repeat a password, even if it’s been months since it was last used. There’s always a chance that your old password is on a list somewhere, and a hacker is waiting for you to reuse it.
  • Never repeat the same password on different sites. If a hacker discovers your password, they’ll try it on all your accounts.

3. Keep Passwords to Yourself

  • Don’t write your password down on a sticky note, save it in a spreadsheet, or tell a friend or co-worker. Once someone else knows it, it’s no longer unique to you, and your login info can be exploited.

4. Log Out of Portals and Keep Your Computer Locked

  • Log out and lock your computer before you leave it unsupervised. If a co-worker or family member used your computer while you were still logged in, they’d have your level of access to company information. They may not have malicious intentions, but accidents happen, and company data could be at risk.
  • Log out of portals and web browsers. If you don’t need it open anymore or won’t be using it for some time, log out and then close the window. An important thing to remember is not just to close the program or window -- always log out first.

Cybersecurity Measures for Your Business

Even with a solid password policy in effect, you need to make sure that you have other necessary security measures in place. These high-tech security measures include (but are not limited to) a properly managed firewall, web filter, spam filter, endpoint detection and response, and patch management.

If you’re feeling like your business needs to improve its cybersecurity posture, reach out to us today. We’d be glad to help evaluate your situation. It'll either validate your gut feeling that things could be better or help you sleep soundly knowing you’re taking the necessary steps to keep cybercriminals at bay.

NOTE: This article was originally published on November 4, 2019. It has been updated on December 30, 2021 to reflect current password policy guidance and advice.

Let's talk about how VC3 can help you AIM higher.