Why Your Business Desperately Needs a Password Policy

by Robert Best on January 31, 2020
Find me on:

why your business needs a password policy

When was the last time you changed your password? Do you use the same password for multiple accounts? These are some of the signs that your business has a password problem.

In this article, we are going to show you the danger weak passwords can cause and why your business really does need a password policy in place.

Why do you need a password policy?

Your business needs a documented password policy to prevent passwords from being guessed or hacked. It is as simple as that but its something that companies rarely do.

The continued rise in cybercrime is making every part of your cybersecurity strategy more important. Passwords within your business need to be included with that. Without a password policy, you will be left with weak passwords that are used across multiple accounts being used throughout your business.

In 2019 1.16 billion email addresses and passwords were exposed by one single breach. If you use the same password for multiple accounts then it just takes one breach and the criminal has access to the password you use on all your accounts.

It is these commonly used or weak passwords that act as the main security for the applications you use across your business. They access your database, your financial information and even your sensitive data.

If a hacker were to crack or guess the password for an account in your business, even if it's deemed an unimportant account, they will quickly realise that your company's password policy is not good enough. They would then likely begin cracking the passwords associated with other, more important, accounts.

What should be in your password policy?

Now you know why your business needs a password policy, what should you put in it? The full details will vary depending on the level of access staff have in your business and the type of applications they use.

With that said we do recommend that you include or consider the following areas

Change default passwords

Cybercriminals have a way of obtaining the default passwords that come with your new router or other hardware. When installing any hardware, make changing the default password the first thing you do.

The same goes for when you set up an online account. You often will get sent a default password to start with. Even if that password looks like a strong, unique password you should change it (just not to a weak, obvious password!).

Make use of microsegment

If you are not going to change the password from the default password (because you are managing thousands of different devices), then at least microsegment, particularly when it comes to mobile IoT units.

Use automatic password purges

How can you make sure your staff are changing their passwords regularly? An automatic purging program forces users to reset their passwords. You can set the time scale this happens, with every quarter being a good way to avoid staff forgetting to reset their passwords.

Device audit

Run regular audits of your network and the devices connected to them. That way you can have an up to date record of what employees and what devices have access to your network. This will help you keep track of which users and devices you need to include in the password policy.

Don't write passwords down

dont write your passwords down

This might seem obvious but we still find businesses where passwords are written on a post-it and stuck to a monitor. The same goes for saving them in an excel document.

What other ways can I protect my password?

Password manager

If you have trouble remembering lots of different or complex passwords you might consider the use of a password manager. When using a password manager you only need to remember the password to access the manager. The rest of your passwords are stored safely in the password manager. They can even be used to help you come up with complex and unique passwords.

Multi-factor authentication (MFA)

MFA works as a safeguard against your password being guessed or hacked. When using MFA once you enter your password you will be required to enter an additional credential to access the account. You can find more information on multi-factor authentication here.

What makes a strong password

There are lots of places you can find advice on setting strong passwords, a good example can be found here at Webroot. The latest advice we have received is using 4 unrelated words, for example, table scooter eagle ferry. Then replace all the instances of a vowel with a number, e for 3 for example and then add some symbols. Your password would look like this tabl3$scoot3r£3agle*3f3rry^.


You will hear a lot about cybersecurity this year because the threat of cyberattack is only rising. You might not hear as much about passwords though but they play a massive part in your cybersecurity.

For help setting a password policy, using a password manager or setting up multi-factor authentication for your business talk us today. Contact us here, email hello@infotech.co.uk or call us on 01634 52 52 52.

Join The Conversation

Please leave your comments below

Customer support

Recent Posts

Popular Posts