Password Policy Best Practices 2022

Updated: Dec 1, 2021

Your password is the gateway to your account. Once inside, a hacker can access a wealth of personal or company information, and use it for their own ends— like divulging trade secrets, fraud or accessing data. Crafting a secure password is essential in reducing risks to your account and information and keeping your data safe — whether at home, work, or on-the-go.



From common mistakes to best practices and leading advice from industry experts, understanding how to create a strong, safe password ensures only you keep the keys to your account.


We'll cover the following:

Why do you need a strong password?


Passwords protect sensitive data, ensure privacy for you, your employees and your business, and prevent unauthorised access. It’s for this reason that most leading cybersecurity bodies recommend that only you know your password, even in the scope of a company. Of course, a strong password doesn’t guarantee protection, as it can still be guessed or hacked, but the stronger your password, the better your defence.


How are passwords discovered?


Most of the time, they’re simply guessed. People often use passwords that are too weak, simple or common to be truly secure, making it an easier job for hackers to compromise accounts. Research by the UK’s leading security body, the National Cyber Security Centre (NCSC), showed that when it comes to setting a password:

  • 15% use their pet's name

  • 14% use family members' names

  • 13% use special dates

  • 6% use a sports team

  • 6% use ‘password’

The NCSC also shared a list of the top 100,000 breached passwords from haveibeenpwned.com, a website created by Microsoft Regional Director Troy Hunt. The data found that the password ‘123456’ has been found 23 million times, ‘qwerty’ 3.8m and ‘password’ 3.6m. Following data breaches, hackers use a practice called 'credential stuffing' to attempt to crack applications. This involves using lists of known usernames, email addresses and passwords to access accounts.

But there’s actually more to it than easy or weak passwords, and a lot of it comes down to human behaviour — namely, that we’re creatures of habit, and so fairly predictable. This makes us vulnerable to creating weak passwords from the outset. Here are some common problems:

  • We reuse the same passwords across multiple websites or accounts.

  • We use variations of the same password, whether we’re resetting an old one, or again, using one similar password across the internet.

  • When making a password more complex, we fall into common patterns like starting with a capital, ending with an exclamation mark, and swapping numbers for letters in the middle.

  • We might write down our passwords, or share them with others.

  • We tend to repeat words in longer passwords.

While these habits might make passwords easier for us to remember, they also make them easier to crack by others — whether it’s a hacker using software or algorithms, or someone simply typing their best guess.


What are the current best practices?


Industry leaders don’t always agree on the best approach. The NCSC suggests using ‘three random words’ for each password you set. Not only does this mean your password will be longer — which can mean extra security — but by randomising the words you choose, there’s no discernible link between them that can be guessed, and the combinations are endless. However, other bodies, such as the National Institute of Standards and Technology (NIST) and The Open Web Application Security Project (OWASP), have previously recommended an 8-10 character minimum, with a mixture of casing, letters, numerals and special characters. Other things to think about include:

  • Using a novel username: For example, instead of the person’s name, it could be something more abstract or arbitrary, like fruit, animal or place. However, experts dispute whether this is any more effective than simply using a strong password in the first place, and workplaces may fall into a pattern of using a particular category (e.g. fruit) across the board.

  • Whether administrations know or create, employee passwords: While this could help ensure passwords are created in-line with company policies, it does risk exposing passwords to others in the business.

  • Using expiring or rotating passwords: Frequently resetting passwords may not add any extra security, as users might rehash old ones or only change a character or two when setting a new one. It might be more prudent to reset passwords only if an account is compromised.

  • Implementing a corporate password policy: These can guide employees on creating a strong password, but recommendations may differ between businesses and there could be unexpected outcomes: too complex, and employees might store or write down passwords; too simple, and accounts might be easier to hack into.

  • Password diversity: While you may choose a single approach to setting a password when it comes to businesses, there’s a lot to be said for how diverse employee passwords ultimately are. That’s because hackers may need to use more than one type of software or algorithm to crack into your accounts.

How can you make passwords more complex for hackers?


There are a number of things we suggest. As a user, we’d recommend you never share your password, even with a person in your company, and don’t risk reusing or rehashing the previous one. You should aim for a password that’s at least 12 characters long for a standard user account, and around 16 characters for an admin or higher access account. Finally, frequently check breached passwords lists, or enter your email address into a site like haveibeenpwned.com, to see if you’ve been hacked.

As a company, roll-out multi-factor authentication (MFA), like using a phone to log in as well as a password. The more obstacles in a hacker’s way, the more secure the account. It’s also a good idea to ban common passwords (such as ‘qwerty’) which could be easily cracked. Even better, consider ways you could reduce your reliance on passwords altogether. Essentially, a network of accounts is only as secure as its users. Everyone in your company needs to use a strong password and follow best practices to keep information safe.


What’s a good example of a strong password?


If you’re coming up with your own passwords, we recommend the NCSC model of ‘three random words’, as we consider this the most secure way to devise a password. You could pick three things from your living room, for example, so you have an easy memory clue, or you could try and invent a story around your three words to help with recall. You could also look into machine-generated passwords, such as those in a password manager, or try NIST’s approach with a blend of characters (though take care not to fall into common patterns, like swapping ‘O’ for ‘0’).

Whatever you choose, ensure your password is difficult to guess (even by those who know you) by avoiding common phrases (like ‘I love you’), connected words, important dates and favourite things. Be sure to check against lists of common or compromised passwords, too. Ultimately, though, a password manager may be your best option for account security.


What about password managers?


Remembering passwords can be tricky, whatever approach you use to create them. Password managers can suggest a complex, randomised, automated passwords for you, store them, and even synchronise them across your devices — so you don’t ever need to remember them. Many people find they make life easier, as logging on can be quicker, you’re less likely to reuse a password, and you won’t need to keep resetting them if you forget. But, there are some key things to consider:

  • Your password manager must be linked to a secure email account and it’s recommended you enable MFA for extra protection.

  • Always use the latest version of a password manager or browser (for instance, if you surf and remember passwords through Chrome).

  • Consider which password manager is right for you (or your company). For example, some store your passwords on a disc.

How can CovertSwarm help with my passwords or a corporate password policy?


Our approach centres around education; it’s often the case that people are the biggest problem in security matters, as if you don’t know what’s secure (and what isn’t), you can’t protect your account and by extension, important information. Nobody knows cybersecurity like we do, and we practice what we preach by only following the latest industry guidance. Passwords are just one way hackers might access confidential information — and it's hard to know whether you might be vulnerable. When you work with CovertSwarm, we'll cyber attack your business from all angles to find weaknesses, including weak passwords, using penetration testing and ethical hacking methods. We can then deliver training, workshops, demos and more to show how to secure your applications — just ask.


Are we heading towards a passwordless future?


While it looks like technology is heading that way, a totally passwordless future is still a few years from now. Most data breaches involve weak, default or stolen passwords, and we know that passwords can be hard to create and remember, so going passwordless could make accounts, devices and applications more secure.

We’re already seeing passwordless access supported by biometrics like fingerprint and facial recognition, now used on the majority of smartphones and computers, and some authenticator apps are also in common use (for instance, many banks require you to authenticate through your phone if you log on via a desktop). Using a pin, plugging a security ‘key’ into your USB port and wearables like NFC (Near Field Communication, or short-range wireless) smart rings are also circulating. As well as potentially being more secure, these methods generally allow for faster log-in, too — one where a glance, tap or even your proximity can instantly unlock access — and all of those things are much harder to steal or copy than a string of characters.

How do I roll-out secure passwords for myself or my organisation?


It’s so important to protect your organisation, your employees, and of course yourself, from would-be attackers. Passwords are a great way to safeguard information but can be vulnerable to hacking if best practices aren’t followed. And, you may not realise if your passwords are weak, risky or leaving you open to attack. Strategic planning is always better than firefighting, which is why knowledge is really your greatest ally in creating a strong, secure password.

Through relentless penetration testing and ethical hacking, we can find vulnerabilities like weak passwords, so that you can protect your valuable data and prevent unauthorised access to your account(s).


Read about what we do, see how we could help your business or book a demo today to stay a step ahead.