For years, the standard advice on passwords made them worse. "Use a complex mix of symbols," "change it every 90 days," "do not write it down" all well-intentioned, all leading people straight into bad habits. The result was predictable: passwords like Summer2024! followed by Summer2024!!, reused everywhere, and stuck on monitors.
Modern guidance is simpler, safer, and far easier for your team to live with. Here is how to build a password policy people will actually follow.
Where the old rules went wrong
Forced complexity and frequent expiration did not produce strong passwords. They produced predictable ones. When people must change a password every quarter, they make the smallest possible change. When they must include a symbol, they put a ! at the end. Attackers know all of this.
Security researchers, including NIST, whose digital identity guidelines shape U.S. best practice, shifted years ago toward a more human approach: longer passwords, fewer pointless rules, and no forced periodic changes unless there is evidence of compromise.
What a modern password policy says
Length beats complexity. A long passphrase, several random words, is both stronger and easier to remember than a short scramble of symbols. Encourage 14 characters or more.
Stop forcing routine resets. Change passwords when there is a reason to (a breach, a suspected compromise), not on an arbitrary calendar. Routine expiration just trains people to pick weak, predictable variations.
Every account gets a unique password. Reuse is the real danger. One leaked password should never unlock a second account.
Screen against known-bad passwords. Block common and previously breached passwords rather than demanding ever-more-complex rules.
The two tools that make it realistic
A policy only works if it is livable. Two tools do the heavy lifting:
- A password manager. Nobody can remember 80 unique long passwords and they should not try. A password manager generates and stores them, so the only password a person memorizes is the one for the manager itself. Provide one for the whole team.
- Multi-factor authentication. MFA is the safety net. Even a strong, unique password can be phished or leaked; MFA means a stolen password alone is not enough. CISA recommends MFA on every account that supports it.
Together, these turn good password behavior from a burden into the default.
A simple policy you can adopt
A workable password policy for most small businesses says:
- Use a company-provided password manager for all work accounts.
- Make every password long and unique, let the manager generate them.
- Turn on multi-factor authentication everywhere it is offered.
- Change a password only when there is a reason to suspect it is compromised.
- Never reuse work passwords on personal accounts, or the reverse.
That is short enough to fit on one page and realistic enough that people will follow it.
The goal
A good password policy is not about making life hard. It is about making the secure choice the easy choice. Give people a password manager and MFA, drop the rules that never worked, and security improves while frustration drops.
If you would like help rolling out a password manager and MFA across your business, Flexnet Networks can set it up and train your team.
Sources
- More than a Password, Cybersecurity and Infrastructure Security Agency (CISA)
- Cybersecurity Basics for Small Business, Federal Trade Commission
- Small Business Cybersecurity Corner, National Institute of Standards and Technology (NIST)
