How to create strong password policies

· Category: Cybersecurity

Short answer

Strong password policies require length over complexity, block known breached passwords, and encourage the use of password managers.

Steps

  1. Require minimum length: Enforce at least 12-16 characters. Longer passwords resist brute force far better than short complex ones.

  2. Discourage predictable patterns: Block common passwords, keyboard walks, and dictionary words.

  3. Use breached password detection: Compare new passwords against databases of leaked credentials.

  4. Set reasonable rotation: Only require changes if compromise is suspected. Frequent rotation leads to predictable patterns.

  5. Enable MFA: Passwords should never be the sole factor. Require TOTP, push, or hardware key authentication.

  6. Promote password managers: Encourage users to generate and store unique passwords for every service.

Tips

  • Use passphrases: four or more random words are memorable and secure.
  • Never enforce arbitrary character composition rules that reduce entropy.
  • Implement account lockout or rate limiting to resist online guessing.

Common issues

  • Users writing passwords on sticky notes due to excessive complexity rules.
  • Password reuse across personal and corporate accounts.
  • Legacy systems unable to support long passwords.