Password Policies and Guidelines

Using a password policy is an important part in enhancing your organization’s password security. Cyberattacks continue to explode around the world with a variety of techniques to compromise corporate passwords. To defend against these attacks, organizations employ password policies to enforce secure passwords and use them to protect enterprise data.

What is a password policy?

A password policy is a set of requirements for passwords in an organization. This can include requirements related to the length and complexity of the password, the expiration period, password reuse and disallowing known breached passwords.

What’s the best password policy?

After researching the various password policies that apply to your organization, you need to decide which requirements need to be enforced to fulfill compliance, provide the best security and ensure end-user adoption. There’s been an ongoing debate around the downsides of password expiration and complexity requirements, since end users often reuse their passwords when faced with these requirements. Another helpful resource is the IT professional forum Spiceworks, where IT pros provide advice related to password policies.

A password policy is not a set-and-forget network setting. Make a schedule to review the policy at regular intervals after checking the most up-to-date recommendations from industry experts and compliance standards.

Here’s a list of the top password policies best practices and guidelines.

Password Policy Types

Password Policy Settings


  • HIPPA password policy – The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect against unauthorized access. Read about the role of passwords in HIPAA compliance.
  • HITRUST CSF password policy​ – Formed in 2007 to fill the gap of the requirements of HIPAA, the Health Information Trust offers a framework that provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA.
  • Criminal Justice Information Services Division (CJIS) – The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST).
  • Cybersecurity Maturity Model Certification (CMMC) – the CMMC is largely a roll-up of several different requirements from different industry bodies into one cohesive set of guidelines, for use by DoD contractors.
  • The General Data Protection Regulation (GDPR)/ICO – GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR does not say anything specific about passwords; ICO, the UK’s public body responsible for GDPR enforcement, does provide some non-binding guidance on passwords.
  • PCI compliance UK – Payment Card Industry Data Security Standard (PCI DSS) security recommendations required for any business that accepts, stores, transmits, or processes cardholder data.
  • National Agency for the Security of Information Systems (ANSSI) – France’s national authority charged with supporting and securing the development of digital technology.
  • National Cyber Security Centre (NCSC) – An organization of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats.

Other resources

Get serious about password security with Specops Password Policy

Specops Password Policy is a feature-rich solution with robust controls over Active Directory password settings. The Specops Breached Password Protection feature includes a real-time breached password check that prevents users from selecting vulnerable passwords. 

(Last updated on May 6, 2022)

Back to Blog

Related Articles

  • Active Directory security best practices

    Our Active Directory best practices address security vulnerabilities in your organization, and serve as barriers for attackers.

    Read More
  • Active Directory Account Lockout Policy

    We’ve touched on the critical importance of password management, and Account Lockout Policy builds on this further. Most failed login attempts are accidental—a user enters their password incorrectly, which happens from time to time. We’re human. However, user accounts occasionally face unique threats from remote attackers. These include: Denial of Service (DoS) attacks Malicious, isolated…

    Read More