How to Create an Effective Password Policy for Your Organization
The do’s and don’ts of crafting a password policy
Password policies are critical. Here’s how you can make the most of your new or existing policy.
As an IT professional, you have a lot to manage. There’s your tech stack, your processes, maybe some direct reports or a help desk system—and that barely scratches the surface.
A good password policy—one that employees can understand and live each day, not just sign off on once a year—can help educate employees and take a fair bit of the burden off your shoulders.
We’ve put together this resource with all the information you need to create (or update) your password policy and drive home its importance to everyone in your organization.
With the workforce expanding to new and remote locations, organizational cybersecurity has more ground to cover. As a result of remote work, organizations we surveyed made 3 main changes:
increased password manager usage
increased cybersecurity training
rolled out new policies
Source: Dashlane, “The Future of Secure Work for People + Organizations,” 2022
Why your organization needs a password policy
“Why does a password policy matter?” Even if you haven’t gotten this question directly, you’ve probably heard it implied. It can be easy for employees to brush off cybersecurity, thinking that hacks and breaches are the IT team’s problem and could never happen to them. But the more you involve your employees, the more likely they are to take personal responsibility. Here’s how a good password policy makes that possible.
It establishes a culture of security.
A strong security culture helps employees understand why cybersecurity is important and how their actions, such as poor password hygiene or failure to identify phishing red flags, impact the organization.
It reduces the chances of a breach or hack.
61% of data breaches involve compromised credentials. By incorporating best practices like strong password enforcement into your policy, you’re greatly improving your organization’s ability to defend against cyberattackers.
It balances security with employee needs.
Approaching security with care and empathy is essential to getting employee buy-in for your security practices. A good password policy partnered with an easy-to-use password management tool such as Dashlane balances organizational protection with employee convenience.
“Current and potential enterprise customers were asking for very detailed security…Our password policies needed to be stronger to meet their expectations.”
Steven Stanley, Senior VP of Technology, ePromos
Read how ePromos personalized their password security.
Creating your password policy
What to include (with example language)
Show employees what to do by telling them to:
Use [Solution Name, e.g. Dashlane] for password management.
Securely and conveniently share passwords with colleagues by using [Solution Name, e.g. Dashlane]
Use a password generator to create unique, strong passwords for all online accounts.
Whenever possible, enable 2-factor authentication (2FA) for all critical accounts. 2FA adds a second layer of security by requiring another means of authentication, such as a passcode.
(If your password manager of choice includes password health tracking) Maintain a password health score above 90%.
Educate employees on what to avoid:
Don’t reuse personal passwords for business purposes or the same password for multiple business accounts.
Refrain from writing passwords down on paper or saving them in a document on your computer.
Avoid using alternative password managers, including saving passwords in your internet browser.
Don’t use email or messaging apps to share passwords.
Don’t include dictionary words or personal information in your passwords.
What not to include
Fear-mongering: Focusing too much on the consequences of a breach will induce fear and stress. Strive to empower employees to take control of their password security by emphasizing how strong passwords protect their accounts and your organization.
Jargon: The policy should be clear to employees, regardless of their level of technological savviness. Not every employee will know what “2FA” means, for example. To ensure everyone understands the password policy, spell out acronyms and define terminology.
Vagueness: Many employees want to improve how they manage their passwords, but they don’t always know how. Make actions and expectations clear by using precise language. For example: “Maintain a Password Health score above 90%” is better than “Maintain a high Password Health score.”
Most common passwords
Check out our Password Generator tool and show your employees what a strong password should look like.
Password policy pro tips
You’ve got your policy drafted and ready to launch. But how do you set yourself up for adoption success?
Inform your employees.
Define the password policy, explain how it will help improve cybersecurity and position it as “the company and its employees versus the cybercriminals” rather than “the company versus its employees.”
Conduct initial training with managers.
Make sure all managers are informed and educated, so they can advocate for the policy and lead by example.
Conduct a brief, upbeat training session for everyone else.
New policies can be overwhelming, so it’s important to keep it high-level and clarify what you’re asking of employees. This training should be required, and it should also be recorded for those who can’t attend live.
Ensure employees feel comfortable reporting an incident.
Use considerate, empathetic language to ensure employees feel safe coming forward—the last thing you want is for someone to feel too embarrassed or afraid to report an incident.
At in-person work locations, place the policy prominently on posters and screens.
Put up posters and send out a one-pager to all in-person and remote employees, and include the name and contact information of the employee or team in charge of answering questions.
After a few weeks, send out an optional quiz about the password policy.
Create a quiz highlighting your policy and offer an enticing reward, such as a gift card or PTO day for one lucky winner.
“It’s important to us that we build security consciousness into our organizational culture. Dashlane solves a big security problem by providing a tool to make good password policies actually practical to follow.”
Eric Hyyppa, President, NETA
Read about how NETA gained total password protection and peace of mind.
A password policy can feel like one more thing on your to-do list, but the protection it provides is well worth it. As the average cost of a data breach is $4.35 million and climbing, a little extra work now can save a lot of money (and headaches) in the long run.
Cybersecurity tools don’t work in a vacuum. Since your workforce can be your biggest asset or biggest liability, it’s important to focus on a human-centric security culture and choose tools to perpetuate that culture. With an award-winning UX that employees love to use, Dashlane is more than just a password management tool: It’s the key to making your employees your cybersecurity allies.