Password Policy and Best Practices for Administrators

Administrators are responsible for establishing and enforcing the password policies that protect an organization’s systems, data, and users. A weak or inconsistent password policy can expose the entire organization to credential-based attacks, data breaches, and compliance violations. The following guidelines are designed to help build and maintain a strong, organization-wide password policy.

Enforce Strong Password Requirements

One of the most important things an admin can do is enforce strong password requirements at the system or directory level. The policy should set a minimum length for all user-created passwords and block commonly used, weak, or compromised passwords. Longer passwords are generally much harder to crack through brute-force attacks, making length one of the most effective password protections.

Complexity requirements, such as requiring a mix of uppercase letters, numbers, and symbols, are no longer seen as being enough on their own. They often cause users to create predictable passwords that are difficult for them to remember, but not significantly harder for hackers to guess.

A useful reference is the Hive Systems password cracking time chart, which helps illustrate the tradeoff between password length and complexity. Use this when setting your minimum character requirements. The National Institute of Standards and Technology (NIST)’s SP 800-63B specifications state that 8 characters is the minimum recommended length for a password. Many organizations now require longer passwords of 14 or more characters, especially for privileged accounts.

When possible, enforce these requirements directly in your identity provider, Active Directory, or SSO platform so that weak passwords are rejected at creation time. Passphrases, which are sequences of random words, can also be encouraged as an alternative to complex short passwords. The length of passphrases increases the difficulty for hackers to crack it while also making it easier for the owner to remember. 

It should be noted that hardware speed increases over time. What is considered a sufficiently complex password today may be crackable in fewer years down the line. Therefore, the minimum complexity standards should be reviewed and updated periodically.

Rethink Mandatory Periodic Password Resets

For years, many organizations have enforced policies that require password changes every 60 or 90 days. However, now both Microsoft and the NIST recommend against scheduled password rotation policies. These mandates often cause users to make small, predictable changes, such as incrementing a number at the end of their password, which does not meaningfully improve security.

A better approach is to require password changes when there is actual evidence of risk, such as a phishing incident, suspicious sign-in activity, or a confirmed credential exposure. Configure your systems to trigger forced password resets automatically based on detected threats rather than a fixed calendar schedule. Also, real-time breach monitoring should be configured to act on credential exposures when they happen.

For highly privileged accounts, such as domain admins, root accounts, or sensitive service accounts, periodic rotation may still make sense in some environments. However, this security benefit should be weighed against the administrative overhead and the risk of encouraging weak password patterns.

Establish Policies Around Password Storage and Sharing

Users should never store passwords in plaintext, such as in shared documents, spreadsheets, or emails. Educate your users on this risk and, more importantly, provide them with a preferred alternative.

That usually means providing an approved password manager. A password manager gives users an encrypted place to store credentials instead of scattering them across inboxes, desktop files, or sticky notes. If credentials need to be shared, use the password manager’s shared vault features rather than sending passwords over email or chat.

Additionally, establish a policy for what happens when an employee with access to shared credentials leaves the organization. Shared passwords should be rotated immediately upon offboarding.

Control and Audit Credential Access

Policies should define clearly who can access credentials for each system, where those credentials may be stored, and who is authorized to retrieve them. Access should follow least-privilege principles: if someone does not need a credential to do their job, they should not have access to it. The individuals or roles authorized to access credentials for each system should be documented and reviewed regularly, especially when employees change roles or leave the organization.

Shared credentials, such as those used for shared accounts, should be minimized wherever possible. When they are necessary, they should be stored in a shared vault within an enterprise password manager rather than distributed informally. Vault access should be restricted so that only designated individuals can retrieve the credential. Where supported by your tooling, retrieval and access events should be logged so there is a clear record of who accessed a credential and when.

Prohibit Password Reuse

Credential stuffing attacks where attackers take username/password pairs leaked from one breach and try them across other services are among the most common attacks that organizations face. Your policy should explicitly prohibit users from reusing passwords across different systems. Where possible, enforce password history requirements through your directory or identity platform so users cannot cycle through the same passwords repeatedly.

Deploying an approved password manager for your organization reduces the likelihood of users reusing the same passwords, since they no longer need to remember unique credentials for every system.

Mandate the Use of an Enterprise Password Manager

Tools like LastPass and 1Password have enterprise versions designed for organizational deployment. These provide centralized admin control, audit logging, user provisioning and deprovisioning, and shared vault management. Evaluate options based on your organization’s size, compliance requirements, and existing SSO infrastructure.

An enterprise password manager reduces the reliance on weak or reused passwords by generating and auto-filling strong, unique credentials for every system. It also gives admins visibility into password hygiene across the organization, identifying users with weak or reused passwords and prompting remediation.

Ensure the master password or SSO integration protecting the password manager is itself secured with strong authentication. The password manager is a high-value target. If compromised, an attacker would gain access to all stored credentials for that user.

Require MFA Across the Organization

Multi-Factor Authentication (MFA) is one of the single most effective controls an organization can implement. Even if a user’s password is compromised, MFA prevents the attacker from accessing the account without also entering the second factor.

The three factor categories are:

• Something you know: a password, PIN, or security question answer.
• Something you have: a hardware token, ID badge with embedded chip, mobile device, or USB security key.
• Something you are: a biometric factor such as a fingerprint scan, facial recognition, or iris scan.

MFA should be enforced at the identity provider or directory level so it cannot be bypassed or opted out of.

SMS-based MFA should be avoided wherever stronger alternatives exist. SMS codes are vulnerable to SIM-swapping attacks, phishing, and interception. Microsoft now recommends stronger authentication methods than SMS within its Entra ID platform. When using a system that still allows SMS as an MFA option, begin a migration to more secure methods and communicate clear timelines to users for making the switch. Authenticator apps, such as Microsoft Authenticator, or hardware security keys are generally preferred over SMS-based codes. For privileged accounts, enforce phishing-resistant MFA methods such as FIDO2 hardware keys.

Document and communicate to users what to do if they lose their MFA device and ensure recovery procedures exist without creating a bypass that undermines the control. Distribute and securely store recovery codes for critical accounts.

Build a Passkey Adoption Strategy

Passkeys represent the next generation of authentication and offer significant security advantages over traditional passwords. Based on public key cryptography and the FIDO Alliance standards, passkeys eliminate the risk of phishing, credential stuffing, and password reuse because there is no shared secret to steal. According to FIDO Alliance data, 5 billion passkeys are now in active use, and major platforms including Google, Apple, Microsoft, and Amazon have all rolled out support.

As an administrator, begin evaluating which systems in your environment support passkey authentication and create a roadmap for adoption. For SaaS applications and internal tools that support FIDO2/WebAuthn, enabling passkeys for your user base can meaningfully reduce your organization’s attack surface. Many enterprise password managers now support passkey storage alongside traditional passwords, simplifying rollout.

Ensure passkeys are synced through a cloud platform, such as a company Apple, Google, or Microsoft account, so that users do not lose access if they replace a device.

Monitor for Compromised Credentials

Reactive detection of compromised credentials is a necessary component of any password policy. Tools such as Google’s Password Checkup, Mozilla Monitor, and Have I Been Pwned can identify whether credentials associated with your organization’s domains have appeared in known data breaches. Have I Been Pwned also offers a domain-level monitoring service specifically designed for organizational use.

Integrate breach monitoring into your security operations workflow so that compromised credentials trigger immediate forced password resets and account review. If your identity provider or password manager offers dark web monitoring, enable it. The faster you can detect and respond to a compromised credential, the less time an attacker has to act on it.

Additionally, consider enabling Azure AD Identity Protection, Google Workspace’s suspicious activity alerts, or equivalent tools in your environment to surface anomalous login behavior that may indicate account compromise even when the password has not yet appeared in a public breach.

One of the simplest ways to reduce credential risk is to enforce a clear, modern password policy across the organization. By setting clear technical controls, deploying the right tooling, and educating users on expectations, administrators can dramatically reduce the risk of attack across the organization. Policies should be regularly reviewed and updated as threats evolve and new authentication technologies become available.

‍