Network security
Hangaia tētahi kaupapahere kupuhipa mā tō pakihi

Create a password policy for your business

Creating strong passwords for network accounts is an effective way to protect your business and keep it safe from attack.

5 min read

View transcript

Passwords are often your last line of defence against a cyber attack. So, what are the latest guidelines around creating great ones? And why is having a password policy an essential part of being in business?

There are four rules when it comes to password creation. Do your current passwords tick all four boxes?

The first is that should be unique. Meaning one password should be specific to one login only. Not reused across multiple accounts.

The second is that it should be long and strong. A passphrase made up of four or more words plus a number and a symbol, or two, is a good option rather one single word.

The third rule is that it should not be based on personal information such as a pets name or a birthday, see that’s easy bait for hackers.

And the last requirement is that it should be kept safe with the use of a password manager.

How well did you do? Did any of your passwords tick all four boxes? Or is there room for improvement?

Well, it might be time to take your cyber security a little more seriously. And get your team on board too. The business wide password policy can give your staff information they need to effectively secure your data and systems.

Your password policy should highlight the importance of these four guidelines. As well as encourage the use of two-factor authentication wherever possible.

Two-factor authentication is a login method that requires a password but also another factor such as a verification code from an email. And it’s slowly becoming the new safety standard online. Check the setting panels of your systems to find out if 2FA, sometimes called multi-factor login, is available.

Your password policy should also outline measures you take to protect against the use of vulnerable passwords. This could be altering your internal systems so they only accept passwords of a certain length, and word, symbol and number combination.

And finally, your password policy should discuss the password management tools your business uses to store passwords. Since each password will be unique to just one system, well you’d have to have a pretty good memory to remember them all.

Use of a password manager will ensure the staff don’t keep their passwords list on their device which would be vulnerable to hackers and holy defeat the purpose.

You know what, head to the CERT NZ website to learn more about how to keep your business safe online.

Why it matters

If you manage staff in your business, at some point they’ll need access to your network. You’ll need to put measures in place to keep their access secure. Strong passwords are a good place to start.

If you want to make sure your staff create strong, unique passwords for their accounts, you need to give them the tools to do so. This could mean updating your password policy.

Creating a password policy

Take some time to go over the steps below to understand your businesses needs from a password policy. Once you've done this, we've made it easy to create a policy with an editable temple. 

Download this basic password policy template and fill in the blanks for your organisation or business. Once you’ve done this, share the policy with any users accessing your network systems and store it somewhere safe. 

Password policy template 

How to protect your business

  • Educate your staff about creating good passwords

    The first thing you need to do is make sure your staff understand what a good password is, and why it’s important. As a rule, passwords should:

    • be unique – used for one account only, not reused across many accounts
    • be long and strong – a made up of four or more words is stronger than a password made up of letters, number and symbols (and it's easier to remember)
    • not be based on personal information – for example, don’t use your pet’s name as your password, as personal information like that is often easy to find online
    • be kept safe – encourage your staff to use a password manager to store their passwords in.

    We’ve put some guidance together on creating good passwords that you can share with your staff.

    How to create good passwords

  • Strong and unique instead of changing regularly

    Asking staff to change their password regularly is counterproductive to good password security. People choose weaker passwords when they know they have to change them often. For example, they might simply change their password from Password1 to Password2. Instead, ask them to create one long, strong and unique password for their account.

    If your system currently prompts staff to change their password on a regular basis, change the setting.

    Staff should only have to change their password if you suspect their account, or the business network, might be compromised in some way.

  • Ask for longer passphrases

    A passphrase of four or more words is stronger than a mix of characters, symbols and numbers, and it’s easier to remember. For example, i like eating breakfast.

    Some password systems set rules asking staff to include a mix of symbols, letters and numbers. The problem with these rules is that people tend to use predictable methods to meet these requirements. It often means they will tag a ? or ! to the end of their password so that it includes a symbol. This creates passwords that are hard to remember. Instead, ask your staff to use longer passwords or passphrases.

  • Encourage staff to use two-factor authentication

    Using (2FA) adds an extra layer of security to accounts. It is more secure than asking security questions to authenticate users in a system. This is because security questions often relate to personal information that is freely available online and easy for attackers to find, particularly on social media.

    Using 2FA instead means that anyone who logs in to your system will need to provide something else to verify that they are who they say they are – for example, a one-time code sent to their phone.

    Protect your business with two-factor authentication

  • Set up protection against vulnerable passwords

    Simple passwords such as Password! or Welcome1 are easy for attackers to guess. Attackers often use databases of common passwords when they’re trying to gain access to accounts.

    If you manage your own , set up your system so it won’t accept common passwords. You can configure your system to only accept long, strong passwords instead.

    If you manage your network on a service, you might not be able to set the rules around password use. However, you can encourage staff to use good passwords and teach them why it's important. Circulate a list of common passwords that staff should avoid using.

    Some staff may worry about remembering their passwords, so encourage them to use a password manager. A password manager is an app that stores and protects your passwords. The only login they’ll need to remember is for the password manager itself.

    Keep your data safe with a password manager

One aspect of password management that can be easily overlooked involves default credentials – the passwords that come with the box when you buy a new device or install new software. These default login details are published online, so make easy targets for attackers.

Default credentials – CERT NZ

Get help

If you need help configuring your system to meet these requirements, talk to your IT service provider. They’ll be able to make the necessary changes for you.

Choosing an IT service provider