How to Write a Workplace Password Policy That Actually Works
The short answer: a workplace password policy works when it is short enough to be read, technically enforced rather than merely written down, and built on length instead of forced complexity. Set sensible minimum lengths, drop scheduled resets, require a password manager, and layer on SSO and 2FA. Below is a template you can adapt in an afternoon.
Why most password policies fail
The classic corporate password policy is three pages long, demands an uppercase letter, a number, a symbol, and a change every 30, 60, or 90 days. It feels rigorous. In practice it produces Summer2026! followed by Summer2026!!, sticky notes under keyboards, and a help desk drowning in reset tickets.
The problem is that these rules optimise for looking secure on paper rather than for how people behave. When you force frequent changes and rigid composition, users fall back on predictable patterns that attackers know well. A policy only works if it shapes good behaviour with the least possible friction.
Start from the modern baseline
Current guidance from NIST SP 800-63B reversed much of the old orthodoxy. The headline shifts are simple: prioritise length, stop forcing periodic resets, and screen passwords against lists of known-breached credentials rather than imposing arbitrary composition rules. If you want the detail, see our companion piece, NIST password guidelines explained.
For a small or mid-size business, you do not need to reproduce a federal standard. You need a handful of rules that are defensible, enforceable, and humane.
The five rules that matter
1. Set minimum length by account tier
Length is the single biggest lever on password strength. A reasonable tiering:
- Standard staff accounts: minimum 12 characters.
- Strong / customer-facing or finance systems: minimum 16 characters.
- Privileged and admin accounts: minimum 20–24 characters, ideally machine-generated and stored only in the password manager.
Allow long passphrases and never cap maximum length below 64 characters. You can produce compliant credentials for each tier with our workplace password generator, which has presets matching exactly these bands.
2. Stop forcing scheduled resets
Drop calendar-based password expiry for memorised secrets. Require a change only when there is evidence of compromise — a breach notification, a phishing incident, or a departing employee with shared access. This reduces help-desk load and, counterintuitively, improves security because people stop cycling through weak variants.
3. Replace complexity rules with breach screening
Instead of mandating one of every character class, check new passwords against a list of previously breached passwords and block obvious choices (the company name, password1, keyboard walks). Most identity providers and password managers can do this automatically. Length plus a breach check beats composition rules every time.
4. Mandate a password manager
The policy should require that work credentials live in an approved password manager, not in browsers' built-in stores, spreadsheets, or memory. This is what makes long, unique, random passwords realistic — nobody has to remember them. See choosing a password manager for your team for selection criteria.
5. Layer on SSO and 2FA
Single sign-on reduces the number of passwords people juggle, and two-factor authentication means a stolen password alone is not enough to get in. Require 2FA on every account that supports it, and prioritise phishing-resistant methods (authenticator apps or hardware keys) over SMS.
A copy-and-adapt policy template
WorkPassword Policy (example)
- All work accounts use a unique password stored in the company password manager.
- Minimum length: 12 characters (standard), 16 (sensitive systems), 20+ (admin/privileged). No maximum below 64.
- Passwords are never reused across systems or shared by message or email.
- New and changed passwords are screened against known-breached lists.
- Passwords are changed only on evidence of compromise — not on a schedule.
- Two-factor authentication is enabled on every account that supports it.
- Privileged credentials are machine-generated and never stored outside the password manager.
Seven lines. People will actually read it, and every clause maps to a setting you can enforce in your identity provider or password manager.
Enforce technically, not just on paper
A policy nobody can violate is worth more than a policy everybody ignores. Translate each rule into configuration: minimum-length and breach-screening settings in your IdP, mandatory 2FA enrolment, password-manager deployment via your device management tool, and removal of legacy expiry rules. Written words should describe what the systems already enforce.
Roll it out without a revolt
Announce the change as a simplification, because it is: fewer forced resets, no more cryptic complexity rules, one tool that remembers everything. Give a four-week window, run a short lunch-and-learn, and make sure the help desk can reset password-manager access quickly. The goal is for the secure path to also be the easiest path.
Frequently asked questions
How long should a workplace password be?
Set a minimum of at least 12 characters for standard accounts and 16 or more for privileged and admin accounts. Allow long passphrases and do not cap length below 64 characters.
Should we force regular password changes?
No. NIST recommends not forcing periodic changes for memorised secrets. Only require a change when there is evidence of compromise. Routine forced resets push people toward weak, predictable patterns.
Do we still need complexity rules?
Heavy composition rules are discouraged. Prioritise length, screen new passwords against known breached lists, and let a password manager handle complexity automatically.
How do we enforce the policy in practice?
Enforce technically through your identity provider and password manager settings, deploy SSO and 2FA, and keep the written policy short so people can actually read and follow it.