The password policy is a topic on which many companies are stuck in the 2000s. A forced change every thirty days, a requirement for a special character and a capital letter, and the effect is that people write passwords on sticky notes and add a 1 at the end. Current guidance, including from institutions such as NIST, says something entirely different. I will show how to set a policy that genuinely raises security, instead of just making life harder.
Why the old rules do harm
Intuition suggests that the more frequent the change and the more odd characters, the better. Practice shows the opposite.
- A forced frequent change leads to predictable passwords. Winter2026 turns into Spring2026, and that is no obstacle for an attacker.
- Complicated character rules do not at all produce a long, strong password. Password1! is short and weak, even though it meets the requirements.
- Too many rules make people write passwords in visible places or use one everywhere.
The worst password is not the one that is too simple. It is the one the same person has at the same time in their company mail, their bank and a forum that leaked three years ago. A leak in one place then opens all the doors at once.
What a sensible password policy looks like
The modern approach bets on length and uniqueness instead of artificial complexity.
- Length over complexity. A minimum of twelve characters, and ideally a phrase of several words, for example green bike under the bridge. Easy to remember, hard to crack.
- No forced periodic change. We change a password only when there is a suspicion of a leak or compromise, not on a calendar.
- Uniqueness for every service. No single password for everything. That is a job for a password manager.
- Checking for leaks. Blocking passwords that have appeared in known leaks, instead of counting special characters.
- MFA as a must, especially on mail, VPN and administrative accounts. Even a good password on its own is not enough.
In a Microsoft environment, a large part of these rules can be enforced centrally. Through Entra ID you can ban typical weak passwords, protect against attacks and require MFA for the whole organisation, without manually watching every account.
A password manager, the foundation of the whole thing
You cannot keep several dozen long, unique passwords in your head. And you do not have to. A password manager is a program that stores them in an encrypted vault, and the user remembers only one master password.
What it gives in practice.
- Generates strong, random passwords for every service automatically.
- Offers to sign in only on the correct site, which incidentally protects against phishing, because on a fake domain it will not suggest the credentials.
- Lets you securely share access within the team without sending passwords by email or chat.
- Shows weak and reused passwords, so you can see what to fix first.
How to roll out a manager in a company
Buying the licence alone is not the rollout. For the team to actually use it, it is worth going through a few steps.
- Choosing a business version with an administrative panel, not loose private accounts.
- A short training showing how to add a password and how to sign in with one click. Convenience is the best argument here.
- Migrating existing passwords and, along the way, replacing the weakest with new, strong ones.
- Sharing rules, meaning who has access to shared accounts and how we revoke access when an employee leaves.
- The master password under MFA protection, because it protects the whole vault.
The second point is key. A manager that is more convenient than a sticky note wins. A manager that gets in the way will be abandoned. That is why the rollout is worth combining with security awareness training, so the team understands not only how, but also why.
Common mistakes
- Keeping passwords in a spreadsheet or in phone notes.
- Sending passwords by email or chat, where they stay forever.
- One administrative password known to half the company, with no trace of who used it and when.
- No procedure for revoking access when someone leaves.
Each of these points is a typical start of an incident. Sorting them out costs little and closes real gaps.
Where to start
If you want to take one step with the biggest effect, start by turning on MFA on mail and rolling out a company password manager. Then simplify the policy: bet on length and uniqueness, and throw out the forced monthly change. Finally, bring order to shared accounts and the access revocation process. That is a few days of work, not a big project.
If you want to set a password policy and roll out a manager so that the team really uses it, we will help choose a solution and carry out the rollout without chaos. Start with a conversation about what passwords look like in your company today.