How to Design an Effective Password Policy

A password policy is a set of rules that are placed on password creation to increase the likelihood of a strong password. If you are studying for the CompTIA A+, Security+, or Network+ exams, you will find that the importance of a strong password is a principal objective of your course.

Why Is a Password Policy Needed?

Password policies are used by companies for employees as well as by consumer-facing organizations such as banks and retailers to reduce the chance of password cracking by hackers. The creation of a strong password policy includes the technical aspects required for password creation and, in the case of companies creating the password policy for their employees, extends to password management protocols as well.

Suggested Parameters of a Good Password Policy

When developing a strong password policy, it is important to balance security with practicality. For example, requiring a password to have at least eight characters is a common practical practice. Requiring too many characters, however, 25 for example, can actually lead to a less secure password. Users are less able to remember such lengthy passwords and will usually write them down, increasing the chances of theft by social engineering. Common practices for the creation of a strong password policy include:

• requiring a set character amount

• requiring one or more numbers

• requiring upper and lowercase letters

• requiring a punctuation mark or non-alphanumeric character

Other Possible Requirements

In addition to password creation requirements, a strong password policy can also include:

• required changing of password at set intervals

• not allowing password repetition for a certain number of cycles

• locking out a user after a specified number of unsuccessful attempts

• requiring multi-factor authentication

Password Management Protocols

Password policies for companies may also extend to protocols for employees, such as not allowing employees to share passwords and credentials, discouraging the writing down of passwords, or implementing a single sign-on (SSO) system for company-related programs. Employers may also recommend employees avoid using personal details such as birth dates or pet names. Common, easy-to-guess passwords, such as “password” or “abc123”, may be banned.

The creation of a robust password policy, while it may seem inconvenient to end-users, reduces the likelihood of brute-force or dictionary attacks by hackers. If you are studying for the CompTIA A+ exam and would like to learn more about, or test your knowledge of, passwords and other IT concepts, check out our CompTIA A+ practice tests, study guides, and flashcards.