How to communicate a new password policy to your end users

Rolling out a new password policy without a communication plan is a recipe for disaster. You want to avoid a situation where all end users are prompted to change their passwords without understanding what they’re doing or why – as this will trigger chaos for your service desk or IT team. The key is to go into your deployment with a clear plan for communicating the policy update of your password security policy.  

If your policy is all set up and you’re ready to schedule the deployment, this post is the right place to be. But if you’re not quite there yet, we’d recommend checking out some of our guides on the earlier steps in the process: 

These communication tips come from our recent report: How to deploy a password policy in Active Directory: End-to-end guide’. As well as configuration help, you’ll get planning tips, advice for a smooth deployment, and guidance on end user communication. Download the full report here.  

Big bang or staggered deployment for a password policy change?

It’s up to you, at the end of the day. But we’d always recommend dividing up your Active Directory and staggering out your deployment so that when each group of users are pushed onto the new policy, they don’t all change passwords at once and potentially trigger a flood of support tickets.  

If a group of passwords are going to expire in the next few days or weeks anyway, why not apply the new policy to those users first? For users that still have a long time until their passwords expire due to only having changed it recently, they might find it frustrating to change again so soon – you could leave them until nearer your roll-out deadline. 

Alternatively, you may have isolated a group of end users using Specops Password Auditor or another tool. Having a known group with breached passwords actually offers the opportunity for a quick win and a chance to test your deployment. You can use these accounts as a pilot group for your roll-out, meaning you deal with highest risk users first and also gain some feedback on whether the pilot deployment went smoothly.   

Specops Password Auditor runs a read-only scan of your Active Directory and gives you a detailed, customizable report of expiring passwords, current users with known breached passwords, and plenty more. Download your free auditing tool here. 

Specops Password Auditor dashboard
Specops Password Auditor dashboard

Communicating your new password policy announcement to end users 

Emailing your end users in advance of the reset notification will make the deployment smoother. The communication should explain:  

  1. Why are we doing this? 
  1. The new password policy requirements   
  1. Reminder of best practices to not share, write down, or reuse passwords  
  1. Who to go to with questions  

You also might want to consider testing your end user guidance approach. Remember to keep things simple and easy to understand. If they’re moving from a password policy where they had to create a short complex password (e.g. eight characters with a mix of numbers, lower case, upper case, and a special character) to a simpler but longer passphrase, this might be quite different to policies they’ve had to follow in the past.    

Template communication email  

Here’s an example of a communication you can adjust to your needs:  

Dear X,  

Between the dates of X/X/X and X/X/X, we will be deploying a new password policy across the organization. This will keep both yourself and the organization safer from passwords becoming hacked or guessed by threat actors. You will get a notification to create a new Active Directory password at some point within the above date range.  

The new password policy requirements are as follows:  

  • Length: New passwords must be a minimum of 15 characters in length   
  • Complexity: New passwords much contain at least one capital letter, number, and special character  
  • Reuse: Reused or slightly altered passwords will be automatically rejected  
  • Breach check: Known compromised passwords will also be automatically rejected  

We would recommend creating a ‘passphrase,’ as this is the easiest way to create a long, secure, and easily memorable password. If you need help creating a passphrase, please have a read of the following guide: Passphrase best practice guide  

Please also keep password best practices in mind that have been highlighted throughout your cybersecurity training. Do not:  

  • Share your password   
  • Write your password down (unless stored in a secure location)  
  • Reuse your password across other devices, applications, and websites  

If you have any questions, reach out to [email] for help.  

Kind regards,  

X  

Other user groups to communicate with  

There are some other user groups within an organization you might want to adapt the above communication for. Here are some of the important ones:  

  • Service desk/IT support/Security teams: These teams will need to know when to expect a higher volume of tickets and potential issues around passwords. Hopefully your deployment goes smoothly and the end user communication helps, but there will always be some teething problems. These teams should also be crystal clear on the new policy requirements. And remember, any password reset calls should be protected by enforced identity verification (learn more about secure verification at the service desk here).   
  • Executive team/Managers: It’s especially important for this group to understand the reasons behind the new policy, so that they buy into and support the deployment. They can also help with communication to end users. It can also be worth sharing statistics or data around the risks of breached and compromised passwords to ensure buy in.   
  • Service accounts: These accounts usually run critical services and systems and very rarely have expiry set on their passwords. The passwords for these accounts also aren’t typically manually typed in on a regular basis, but are instead copy/pasted from a password vault. Consider setting the complexity and length on passwords for these accounts to very high settings e.g. 64+ characters in length and also consider if they are susceptible to Denial of Service types attacks by misuse of your account lockout policy.  
  • Admins: Users with high privilege access to the network and/or access to sensitive data should also be protected more than regular accounts. Enforcement of longer passwords/passphrases should be considered, plus potentially the continued use of expiry of passwords even if they aren’t breached. They might need some extra communication to explain these additional requirements. 
  • Employees on leave: While planning your rollout, it’s also worth considering if staff are on long-term leave. They may not have access to the systems that would allow them to change their passwords to a new setting. Discuss the needs of these users with their managers and HR, and put contingencies in place with the service desk or via detailed instructions to assist them.  

Found the recommendations in this blog helpful? Read the full report ‘How to deploy a password policy in Active Directory: End-to-end guide’ here.  

How else can you make a password policy deployment user friendly?  

Aside from a solid communication plan, there are a few elements you can add to your password policy to make life simpler for end users. Things like single sign-on (SSO), password managers, and authentication hardware like YubiKeys can make a positive difference to user experience. Of course, you also want to make sure user experience is always correctly balanced with security. One of the best ways to help end users is to give them real-time feedback into what they’re doing.  

Better user experience means fewer service desk tickets. Specops Password Policy offers dynamic feedback reacts to user input, guiding them to create strong passwords they can actually remember. As shown below, the Specops Authentication Client provides dynamic feedback at the password reset screen, which gives users real-time insight into what they need to do to meet the new policy (such as a 15+ character passphrase). Length-based aging can also be included, which ‘rewards’ users with a longer time to reset when they choose a longer password. 

Easy-to-understand, simple user experience avoids password frustration and fatigue, meaning fewer calls and emails to the support desk. Get in touch and try Specops Password Policy.  

New Password reset screen for Specops Password Policy end user 
Password reset screen for Specops Password Policy end user 

(Last updated on October 29, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • Best practice guide for rolling out Specops Password Policy

    Rolling out a new password policy without a plan is a recipe for disaster. You want to avoid a situation where all end users are prompted to change their passwords at the exact same time – triggering chaos for your service desk or IT team. Every organization is different, but Specops Senior Product Manager, Darren…

    Read More
  • Thinking about going passwordless? Here’s what to consider first. 

    In 2004, Bill Gates made a bold prediction that passwords would soon be dead. Almost twenty years later, the password is pretty much as prevalent as ever. If you’re here, it’s a question that’s probably crossed your mind too: why do we have to persist with passwords? They’re expensive and time-consuming for IT teams to…

    Read More
  • Best practice tips for your password policy

    Many organizations have yet to craft an effective password policy – the policy says one thing, but something very different is taking place on the network. Is your current approach to passwords adequate?

    Read More