Skip to content
password login screen

Password Policy Guidelines For Small Business

A password is a personal identifier and a key. A single password can unlock access to your network and your company data. Every password should be created and managed with that in mind. This article offers up to date password research and password policy guidelines for small business owners to action to improve data security.

Password hacking is one way that cybercriminals gain unauthorized access to your accounts. A well-developed password policy for your organization can help you combat this issue.
Good IT Security has multiple layers. Where one fails, another succeeds at stopping a breach. Your password policy is one layer. These tips will help you develop your SMB password policy.

Password Security Research

Password research was updated in late 2017.  This short guide will help you implement password policy best practices and better secure your network.

This guide is intended to be a starting point, not a total network security solution.

Apply these guidelines and also speak with your IT provider about network security improvements.

Share this information with your team. Your human layer of defense is only as strong as your weakest link.

What Makes A Secure Password

You will learn 8 password guidelines to apply to uphold a strong password policy.

Numbers & Symbols

Numbers:  Until recently, it was thought that the use of a mixture of alphabetical and numeric characters strengthened passwords and made it more difficult for low level hackers to succeed in guessing or cracking passwords.

E.g. ‘123unlockme’ or ‘monkey56’

Symbols:  It was also thought that the addition of symbols further strengthened passwords.

E.g. Instead of ‘apples’ a user would use ‘@pples’.

New Data: Adding numbers is only effective if the password is strong overall. The above examples are commonly guessed passwords.

The substitution of alphabetic characters with symbols is no longer advised. Hackers try common symbol for character substitutions when attempting to hack an account, such as ! in place of 1 or @ in place of a.

PRO TIP: If you add numbers or symbols, do so in addition to regular characters, not as substitutions.


Upper & Lower Case Characters

Until recently, it was thought that you could add another layer of complexity to passwords by using both upper and lower case characters, and that this extra variable would increase the number of character combinations attempts needed to match a password.

However users chose simple swaps such as “Password1” to satisfy the password requirement of one upper case character and one number, and these were easily guessed by hackers.

PRO TIP: If you continue to use upper case characters, use them in addition to an already strong password, and in unexpected places.

e.g. ‘teal hEadphoNes 47’ is a good example of a password using upper case characters and numbers in unexpected places.


Make Passwords Random

Random strings of words make secure passwords because they are difficult to guess and won’t match commonly used pattern guessing algorithms used by cybercriminals to crack passwords.

Personal information in passwords is easier to uncover by those skilled in social engineering.

When spaces are also allowed, you can create absurd phrases as passwords that are truly random and more secure.

Try using 4 + words to give you the added advantage of password length, covered in another section.  Here are some examples of random phrases.

E.g. ‘headsetsunshinefuelinjectorbass’ or ‘I mend and paint fences in space’


Do Not Use Banned Words In Passwords

Every year a list of the most commonly cracked passwords is released.  They are starting points for hackers attempting to crack passwords and give them a great advantage in succeeding.

Your user passwords should not contain these words.

Here is a partial list published in 2017.

image of text - list of banned words for secure passwords

PRO TIP: Advise your team not to use any of these words in their passwords. Check online updated lists annually.


Password Length

Setting minimum password lengths helps users to create strong passwords while also making it more difficult for a malicious user to guess or brute force their way into your network.

Previously, 8 character passwords were recommended, however research has shown that 10 + character passwords are significantly harder to crack.

Average Time To Crack A Password In A Brute Force Attack

  • 5 minutes to calculate all 6 ascii character combinations
  • 2 hours to calculate all 7 ascii character combinations
  • 1 days to calculate all 8 ascii character combinations
  • 57 days to calculate all 9 ascii character combinations
  • 4 years to calculate all 10 ascii character combinations

PRO TIP: Use 12+ character passwords.


Do Not Reuse Passwords

Never use the same password for any two accounts.

If one account is hacked, the information found within can be mined and used to hack into more valuable accounts. This is a common hacking tactic.

You make it easier for cyber criminals when you re-use passwords. It’s like giving them a master key to multiple accounts.

E.G. Mary uses her home computer password as her work computer password as well. Mary visits lots of entertainment sites on the weekend, some of which inject drive by malware on to Mary’s computer. 

Mary’s personal email address is compromised. From there, hackers discern Mary’s place of employment. They target that network.

Because Mary reused a password, they get in fairly easily, and now your business network is compromised. Sensitive data can be stolen and sold. Ransomware can be injected. Intellectual property can be compromised.

If an account is compromised, immediately change your password on that account and all other important accounts as well. Train employees to do the same.

PRO TIP:  Ensure you have an Acceptable Use Policy in place, and that it states all work passwords must be unique.


Password Age

Until recently, it was thought that password age had a significant bearing on password security. Most Network Administrators set passwords to expire every ninety (90) days.

The reason for this practice was to thwart password cracking software running unnoticed on a network for weeks or months. By changing passwords every 90 days, one could circumvent such breach efforts.

However, new research shows that if password length and strength is sufficient, it can take 10 years or more to crack a password.

Less frequent changes of long and secure passwords lessens the burden of having to remember new lengthy secure passwords every 90 days, and may help increase security compliance from users. The caveat is that every user on your team must follow secure password protocols.

A network administrator can set strong password requirements. If there is no network administrator, or your team is slow to adapt necessary changes, you may want to continue to change passwords every 90 days.


2 Factor Authentication (2FA)

Two Factor Authentication (2FA) is a random pin number generator installed on a user’s mobile phone that will authenticate them against their email or other accounts.

2FA can help prevent impersonators or unauthorized users from accessing company mailbox or other data in the cloud.

2FA works by generating a PIN or token that changes every 60 seconds.

To log in to applications with 2FA enabled, a user will need both the password and the current PIN. This combined layer of account security helps protect your business from account hacking. With two-step authentication, even if a hacker steals your password they cannot gain entry without the second code, reducing the risk of account breach.

The info in your company email and accounts is valuable. Deals, financial records, account numbers, client contact information. The loss potential is enormous.

2FA helps reduce risk of account hacking and data loss.

2FA is free to setup and use with mobile apps. Simply install Microsoft or Google authenticator from app store and then follow the guide. Token generating keys such as a Yubikey can be purchased instead of using a mobile phone. This option may be desirable for administrative accounts in the workplace.

PRO TIP: Implement 2 factor authentication for all programs that support this powerful security feature. It’s free to setup and use.


Putting It All Together

  • Make time to review your password policy at your next team meeting.
  • Implement a new password policy based on this guide.
  • Use this tool to check your password strength: http://www.passwordmeter.com/
  • Create a recurring appointment to review password policies and cyber security each quarter.  Research shows that repeat user awareness training helps to reduce risk.
  • Schedule a network audit to review your network security gaps and plan to close them. IT Security Audits are recommended every 3 years.

Cyber criminals are counting on you to be lax with your security. Don’t be.

Download This Password Policy Guideline As A PDF To Review With Your Team


Network Security in Toronto

TUCU is a top rated IT Support Company for SMBS in Toronto. Services include network design, setup, security and support. We offer network security audits, remediation and ongoing monthly network management services. Schedule your free phone consultation to learn about your options.

Scroll To Top