Strong Password Policy Requirements Protect Data, Systems

It remains a critical and ever-evolving challenge to protect your organization’s data and operations from destructive forces such as unauthorized users, cyberattacks, and data breaches. The first level of security from such attacks is the implementation of strong password policies as a line of defense for an organization’s data security.

Balancing risk and user-friendliness is challenging. “When an employee has so many complex passwords to remember that they keep them on a sticky note attached to their computer screen, that could be a sign that your organization needs a wiser policy for passwords,” per

Password Threats

  • “55% of people rely on their memory to manage passwords,” reported Memory is a fickle tool. Recognizing this, many people keep hard-copy lists of their passwords, usually on their desks.
  • Composition rules are commonly used in an attempt to increase the difficulty of guessing user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.
  • Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.

Tips for Strong Password Management

Effective Password Management goes beyond password strength. In the United States, we typically follow the NIST Guidelines. AAFCPAs provides below a summary of NIST 2021 password recommendations (NIST Special Publication 800-638 Digital Identity Guidelines) to help clients enhance their cyber security posture as it relates to password management.

  • Password length is more important than password complexity. We advise clients to encourage the use of passphrases and set the maximum password field length at 20-64 characters.
  • Utilizing symbols and characters in phrases as opposed to all letters. For example use the (;-) ) wink symbol in the phrase “Winking at me” instead of all letters.
  • Do not enforce regular password resets. Humans follow predictable patterns. NIST recommends that password resets should only be performed if a compromise is suspected.
  • Screen all new passwords against lists of commonly used and compromised passwords
  • Allow pasting of passwords and the option to show password while typing. The ease these features create helps avoid user frustration and likelihood of weak passwords.
  • Limit the number of failed password attempts before account lockout. Users should be locked out of their accounts after 3 or 5 failed password attempts, which can protect against brute force attacks.
  • Implement 2-factor authentication. 2FA is essential to network and web security because it immediately neutralizes the risks associated with compromised passwords.
  • Salt and hash passwords. The NIST password recommendations now include a requirement to salt passwords with at least 32 characters and to ensure they are hashed with a one-way key derivation function.
  • Educate users about password threats and how they should respond.

AAFCPAs provides Information Risk Management & Cybersecurity solutions, including System and Organization Controls (SOC) Attestations, IT Risk Assessments, and Vulnerability Management as a Service (VMaaS). These solutions include assessments of risks related to password policies. Our IT Security Professionals advise clients to defining strong password policy requirements and selecting centralized and local password management solutions. We also advise clients on threat mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms.

If you have question, please contact Andrew Mathieson at 774.512.9089,; or your AAFCPAs Partner.

About the Author

Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, and SOC 2+HIPAA. He also provides HITRUST Certification examinations and assessments, GDPR assessments, FFIEC assessments, GLBA assessments, HIPAA assessments, Internal Risk Assessments, and SOX 404 audits. He renders these services across a variety of industries, including Healthcare, Managed IT Services, SaaS/PaaS/IaaS companies, Data Centers, Cloud Services, Collection agencies, Printing and Mailing companies, Financial Corporations, and diverse nonprofit organizations.