Creating a Password Policy Your Employees Will Actually Follow
Every IT department knows the struggle of educating employees about cybersecurity and ensuring they are maintaining best practices. Creating a password policy can help improve your company’s security posture, but when you have many other competing priorities, rolling out the policy effectively often creates hurdles.
That’s why we’ve done some of the legwork for you. As a password management company, we know a thing or two about creating a password policy that makes sense and employees will follow. Use this guide to help you get started.
Want to learn more about using a password manager?
Check out our personal plans or get started with a free trial.
What is a password policy?
A password policy is a set of best practices and rules related to password use for your business accounts. Companies establish a policy for employees with the ultimate goal of improving cybersecurity.
Typically, the IT department is responsible for creating a password policy, but the success of this tool relies on all your employees. Policy awareness and education are often part of onboarding and regular cybersecurity training. Including conversations about your password policy in your security awareness program is an effective way of keeping best practices top of mind for employees.
Why your organization needs a password policy
A password policy empowers your employees to proactively improve their security habits by following the practices that keep your organization secure.
Your password policy helps you achieve three main objectives:
Establish a culture of security: A strong security culture helps employees understand why cybersecurity is important to your business goals and how their actions, such as poor password hygiene, impact the organization.
Reduce the chances of a breach or hack: By incorporating best practices such as strong password enforcement into your policy, you are greatly improving your company’s ability to defend against cyber attackers.
Balance security with employee needs: Building a human-centric culture—which approaches security with empathy and caring for employee needs—is essential to getting employee buy-in for your security practices. A password policy helps achieve this by balancing the need to protect the organization with the need to maximize productivity and convenience for employees.
What to include in your policy
A recent Dashlane survey found that employees whose companies require an enterprise password manager are more likely to describe their organization as secure. If your organization uses Dashlane and wants to create a password policy, here are some suggestions of what to include:
- Dashlane is a secure and convenient enterprise password management solution. Avoid use of alternative password managers (also known as password keepers), including saving passwords in your internet browser.
- Use Dashlane’s password generator to create unique, strong passwords for all online accounts.
- Keep your Dashlane password health score above 90%
- Do not reuse personal passwords for business purposes or the same corporate password for multiple business accounts. Use Dashlane to identify which passwords you are reusing.
- Securely and conveniently share passwords with colleagues by using Dashlane and no other method.
- Refrain from writing passwords down on paper or saving them in a document on your computer.
- If you receive a dark web monitoring or breach alert, change the password of the impacted accounts as soon as possible. Time matters, and this can mean the difference between staying safe or being hacked. Think about what you would do if you lost your credit card.
- Add 2-factor authentication (2FA) for all critical accounts. Dashlane makes it easy for you to find out which of your saved logins offer 2FA.
Download our Password Policy Checklist and learn what to include in your policy after your organization implements Dashlane.
What not to include in your policy
- Fear-mongering: Focusing too much on the consequences of a breach will induce fear and stress. Rather, strive to empower employees to take control of their password security by emphasizing how strong passwords protect their accounts and your organization.
- Jargon: The policy should be clear to employees regardless of their level of technological savviness. Not every employee will know what "2FA" or "dark web monitoring" means, for example. To ensure everyone understands the password policy, spell out the acronyms and define terminology when necessary.
- Vagueness: Many employees truly want to improve how they manage their passwords, but they don’t always know how. Make actions and expectations clear by using precise language. For example: “Maintain a password health score above 90%” is better than “Maintain a high password health score.”
How to roll out your password policy
Successful adoption of your password policy relies on factors such as good employee communication and training. Follow these suggested steps:
- Inform employees ahead of time that a password policy will be rolled out at a set date in the near future. Define what a password policy is and communicate that it will help everyone build strong cybersecurity habits. Phrase it as “the company and its employees versus the cybercriminals” rather than “the company versus its employees.”
- Conduct an initial training with managers so they can understand and advocate for the policy, leading by example.
- Conduct a succinct, upbeat training session for everyone else. Record it so all those who cannot attend live can watch it later. Make it required viewing within a set timeframe, and lean on managers to ensure everyone is able to watch it.
- At in-person work locations, place the policy prominently on posters and slides on televisions. Send out a one-pager of the policy to all in-person and remote employees so they have it on hand. Include name and contact information for an employee or team in charge of answering questions.
- After a few weeks, send out an optional quiz to employees about the password policy, with each correct entrant having a chance to be randomly selected to win prizes employees truly value. Some ideas are an extra day of paid time off, a free lunch for their team, or a $100 gift card to a place of their choosing.
- Promote on your website’s About page or social media that your company uses best practices for password management. This demonstrates to existing and prospective customers that you take cybersecurity seriously and maintain a human-first security culture.
Effective enterprise password management starts with an effective password policy. Use your policy as a tool for boosting both your security posture and your human-centric security culture.
Ready to level up your organization's cybersecurity? Our free guide has all the information you need to create (or update) your password policy.