// Policy Template

Password Policy

Comprehensive password requirements and best practices for secure authentication.

Version 3.0 NIST Compliant
Password Strength Checker
WeakFairGoodStrong
// Requirements

Password Composition Rules

12+

Characters

Minimum length required

Aa

Mixed Case

Upper & lowercase letters

123

Numbers

At least one digit

!@#

Symbols

Special characters

DO

  • Use passphrases (e.g., "Coffee-Mountain-Rain-2024!")
  • Use a password manager to generate and store passwords
  • Enable Multi-Factor Authentication (MFA) everywhere
  • Use unique passwords for each account
  • Change passwords immediately if compromised

DON'T

  • Never use personal info (birthdays, names, pets)
  • Never share passwords via email or chat
  • Never write passwords on sticky notes
  • Never reuse passwords across accounts
  • Never use common patterns (123456, qwerty)
// Lifecycle

Password Management Timeline

Day 1

Create strong password

Day 30

Security check

Day 75

Expiry warning

Day 90

Mandatory change

// Multi-Factor Authentication

MFA is Mandatory

All accounts must have MFA enabled. Choose from approved methods:

Authenticator App
Preferred
Hardware Key
Preferred
SMS Code
Acceptable
Email Code
Last Resort
mfa-login
$ Enter password: ************
$ Password VERIFIED
$ Enter MFA code: ******
$ MFA VERIFIED
$ Access GRANTED
??

Password Compromised?

If you suspect your password has been compromised, act immediately:

  1. Change password immediately on all affected accounts
  2. Report incident to IT Security team
  3. Check for unauthorized access in account activity logs
  4. Enable MFA if not already active
Report Now

Download Policy

Get the full password policy document for distribution.

Download PDF

Related Policies

Acceptable Use Backup Policy