Password policy basics

Topic: Security basics

Set minimum length, complexity, and expiry for passwords where they are still used; prefer MFA and passwordless where possible. Use this when configuring IdP or application password rules so users cannot choose weak or reused passwords.

Intent: How-to

Quick answer

  • Minimum length at least 12 characters; require mix of character types if complexity is enforced. Avoid overly strict rules that lead to unmemorable passwords and sticky notes; length matters more than complexity.
  • Set expiry or periodic change only if required by policy; frequent forced change can weaken security (users reuse or simplify). Prefer MFA and breach-check (block known compromised passwords) over frequent rotation.
  • Use a password manager and allow paste so users can use long, random passwords. Block common and breached passwords via Have I Been Pwned or similar where supported.

Prerequisites

Steps

  1. Set length and complexity

    Require at least 12 characters; 14 or more for sensitive systems. Optional: mix of upper, lower, number, symbol. Avoid rules that force predictable patterns (e.g. capital first, number last).

  2. Expiry and rotation

    Only require periodic change if policy demands it. Prefer MFA and breach-check over frequent rotation. When rotation is required, do not allow reuse of recent passwords (e.g. last 12).

  3. Block weak and breached

    Block common passwords (list or dictionary). Integrate breach-check (e.g. Have I Been Pwned API) so compromised passwords are rejected. Allow password managers and paste.

  4. Document and communicate

    Document the policy and where it applies. Tell users why (security) and how (password manager, MFA). Provide a way to reset forgotten passwords securely (verified identity).

Summary

Set minimum length (e.g. 12+ chars) and optional complexity; limit expiry to when required; block common and breached passwords. Prefer MFA and breach-check over frequent rotation. Use this when configuring password rules.

Prerequisites

Steps

Step 1: Set length and complexity

Require at least 12 characters; optional mix of types. Avoid rules that create predictable patterns.

Step 2: Expiry and rotation

Require rotation only if policy requires it. Prefer MFA and breach-check; limit reuse of recent passwords.

Step 3: Block weak and breached

Block common and dictionary passwords; use breach-check API where supported. Allow password managers.

Step 4: Document and communicate

Document policy; explain to users; provide secure reset and MFA enrollment.

Verification

Password rules are configured; weak and breached passwords are rejected; policy is documented and communicated.

Troubleshooting

Users bypass with simple passwords — Enforce at IdP; block breach list; encourage password manager. Too strict — Relax complexity if it causes sticky notes; increase length instead.

Next steps

Continue to