What is a password policy and why should you apply it?

Users are increasingly concerned about our security and the first line of defense should be to have a good password. Obviously not all are the same, and they can be more or less secure. What determines the quality of a password is its length and the types of characters it uses. Also to improve security, it is advisable to activate two-factor authentication if it is available. If we want to have good online security, we must worry about having strong passwords. In this article we are going to talk about what a password policy is and why it should be applied.

What is a password policy for?

A password policy we can define it as a set of rules designed to improve computer security by encouraging users to create stronger passwords. In the case of establishing a password policy, it will allow us to establish a defined environment on how people create and use those passwords. It is a formula to guide users to generate their secure passwords.

In addition to this, users should receive cybersecurity training, not only about passwords but also about the various types of attacks they can suffer. As for why it is convenient for us to have a good password policy, it would be because:

  • It will protect our data and confidential information. If we don’t, our network will be vulnerable to data breaches.
  • Maintains order and builds trust. A password policy is intended for everyone who uses your network in that also external users of your network must follow this policy. In addition, it builds trust because they see that the owners of the website or company take security seriously.
  • Promotes the culture of cybersecurity as users understand how to protect themselves. If users are informed about cyber threats and how to avoid them, there will be less chance of being hacked. (

You may be interested in testing your passwords with Hydra so we can know if they are secure.

What should I do to create a good password?

The goal of a good password policy is to make your network and credentials across different services more secure. If you don’t, it will be a waste of time. For this reason we have to look at a series of elements in the password:

  1. strength and length. You must create keys that contain uppercase, lowercase, numbers, and special symbols. In addition to being as long as possible with a minimum of 12 characters.
  2. Expiration: It has to have an expiration date so that they are changed regularly.
  3. password history: Where old passwords are saved so that users don’t reuse their old passwords.
  4. The change of password it has to be available at any time but security measures such as two-factor authentication must be in place.

Once we know how to create a good password, let’s see how we can implement a password policy.

How to implement it

Once we are clear that we want to create effective password policies, we must set some goals if we want them to be implemented well.

  • We have to use strong passwords. For this, it is very important to follow the guidelines that we explained in the previous section about its strength and safety. Here it is going to play a very important role that we add special symbols like the @.
  • Inform users who use unique passwords, since in the event that one of your accounts is hacked, the rest could also be in danger. A good measure that can help you store them is to use a password manager.
  • Implement password management tools and enforce penalties for violations. For example, one of the tools that we can use to achieve this goal is to use the Windows password policy and combine it with other additional tools for the rest of the applications. Sometimes it is also necessary to sanction because some users do not take security seriously, the stronger the sanction, the more seriously it is usually taken.
  • You have to be proactive and anticipate the future. In this aspect, penetration tests can be done to look for vulnerabilities. It would also be important to have a plan for ransomware and other attacks along with a good backup policy.
  • The password policy should be reviewed regularly since with the passage of time it can become obsolete. For example, the password length may need to be increased in the future.

Computer security is a matter of information and taking security measures. Cybercriminal attacks are successful due to users’ lack of knowledge. Finally, if a password policy is used, we will be making things more complicated for these attackers and it will be more difficult for them to carry out a successful cyberattack.

Related Articles