Skip to main content
Have a Question?
< All Topics
Print

Password Policy Template

Posted
Updated
ByCyber Ready

Password Policy Template

Introduction

Purpose and Use

Passwords remain one of the most widely used methods for authenticating users and protecting access to systems and data. Weak or compromised passwords are a common cause of security breaches. This policy template provides guidance on creating, managing, and protecting passwords within your organisation. It helps to ensure that passwords are strong, securely stored, and regularly updated, in line with industry best practice and compliance requirements such as Cyber Essentials, ISO/IEC 27001, and the UK GDPR.

Use this template to develop a Password Policy that is proportionate to your organisation’s size, technology environment, and risk profile. It should be customised to reflect specific systems, applications, and regulatory obligations.

Who This Template Is For

  • IT and information security managers responsible for authentication mechanisms.
  • Employees and contractors who create and use passwords to access organisational resources.
  • Organisations preparing for Cyber Essentials or ISO/IEC 27001 certification.

Alternative Names You Might See

  • Password Management Policy
  • Credential Policy
  • Authentication Policy

Password Policy Template

1. Document Management

  • Organisation Name: [Insert organisation name]
  • Document Owner: [Role/title responsible for the policy]
  • Version: [e.g. 1.0]
  • Classification: [e.g. Internal / Public / Confidential]
  • Issue Date: [Date of current issue]
  • Next Review Date: [Date for next review]
  • Supersedes: [If applicable, previous versions]
  • Approval: [Senior management approval]
  • Change History: Include a table recording version, date, author and summary of changes.

2. Purpose

The purpose of this policy is to:

  1. Define minimum standards for password creation, management, and protection across the organisation.
  2. Reduce the risk of unauthorised access due to weak or compromised passwords.
  3. Ensure compliance with relevant legal and regulatory requirements including UK GDPR, Data Protection Act 2018, Cyber Essentials, and ISO/IEC 27001.

3. Scope

This policy applies to:

  • All employees, contractors, partners, and third parties who access organisational systems or data using passwords.
  • All systems, applications, databases, network devices, cloud services, and physical access mechanisms that rely on password authentication.
  • Passwords used to access company-owned devices and personal devices used for business (BYOD).

4. Roles and Responsibilities

4.1 Senior Management / Board

  • Approve the Password Policy and allocate resources for implementation.
  • Support enforcement of password standards and disciplinary measures.

4.2 Information Security / IT Function

  • Define and maintain password complexity and expiration settings across systems.
  • Implement technical controls (e.g. password complexity rules, account lockout thresholds).
  • Provide users with secure mechanisms for password creation, change, and recovery.
  • Monitor and audit password-related events for suspicious activity.

4.3 Line Managers / System Owners

  • Ensure users within their area of responsibility comply with this policy.
  • Review access rights and require password updates when users change roles or leave the organisation.

4.4 All Users

  • Create and maintain passwords in accordance with this policy.
  • Keep passwords confidential and do not share them with others.
  • Change passwords promptly if a compromise is suspected or after a known breach.
  • Report any suspicious activity or password-related security incidents to IT/security.

5. Password Requirements

5.1 Complexity

  • Passwords must be at least 12 characters long (or longer if specified by system requirements).
  • Passwords should contain a mix of uppercase and lowercase letters, numbers, and special characters.
  • Avoid using easily guessable information such as names, birthdays, or common words.

5.2 Uniqueness and Reuse

  • Each account must have a unique password; reuse across multiple systems is prohibited.
  • Passwords must not be reused for at least 12 months from previous use.

5.3 Expiration and Renewal

  • For systems without multi-factor authentication (MFA), passwords should be changed at least every 90 days.
  • For systems with MFA, password expiration may be extended (e.g. every 180 days) based on risk assessment.
  • Users should not recycle previous passwords.

5.4 Storage and Transmission

  • Passwords must be stored using secure, salted hashing algorithms; plaintext or reversible encryption storage is prohibited.
  • Passwords must not be transmitted in plaintext; secure protocols (e.g. HTTPS, SSH) must be used.

5.5 Password Managers and MFA

  • Use of password managers is encouraged to help users create and store strong, unique passwords.
  • Multi-factor authentication (MFA) should be enabled wherever available, particularly for remote access and privileged accounts.

6. Account Lockout and Recovery

  • Systems must lock an account after a defined number of consecutive failed login attempts (e.g. 5 attempts).
  • Locked accounts may be automatically unlocked after a cooling-off period or must be reset by IT/security personnel.
  • Account recovery procedures must verify user identity before resetting or unlocking accounts.

7. Shared and Service Accounts

  • Shared accounts should be avoided. Where unavoidable (e.g. service accounts), they must be authorised by IT/security and have controlled access.
  • Service account passwords must meet the same complexity requirements and be changed regularly (e.g. every 180 days) or when systems are updated.
  • Service account credentials should be stored securely (e.g. password vaults) and limited to the minimum privileges required.

8. Training and Awareness

  • Users must receive periodic training on password best practices, including recognising phishing and social engineering attacks.
  • Awareness campaigns should remind users of the importance of strong passwords and the risks of compromise.

9. Compliance and Monitoring

  • Compliance with this policy must be monitored through periodic audits of password strength and account configurations.
  • Any non‑compliance must be addressed promptly by the system owner and IT/security.

10. Exceptions

  • Any deviations or exceptions to this policy must be formally documented, justified, and approved by senior management.
  • Exceptions should be reviewed regularly to ensure continued relevance.

11. Policy Communication

  • This policy must be communicated to all users and made available on the organisational intranet or Knowledge Base.
  • Regular reminders and updates should be provided to reflect changes in technology or best practice.

12. Supporting Policies and Standards

  • Access Control Policy – defines how access rights are provisioned and managed.
  • Information Security Policy – overarching framework for protecting organisational assets.
  • Acceptable Use Policy – guidelines on appropriate use of IT resources.
  • Data Protection Policy – compliance with UK GDPR and Data Protection Act 2018.

13. Policy Add‑ons

Depending on your organisation’s risk profile, you may choose to add:

  • Password length variations for specific systems (e.g. longer requirements for critical systems).
  • Biometric or hardware tokens as additional authentication factors.
  • Password complexity exceptions for systems that cannot enforce certain characters, with compensating controls.

Use this template as a foundation and adapt it to your organisation’s needs. Review and update the policy regularly to reflect changes in security standards and regulations.

Tags:
Table of Contents