Password Policy
What is Password Policy?
Password PolicyA documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce.
A password policy defines the requirements an organization places on user-chosen secrets: minimum length, allowed character sets, screening against breached corpora, expiration rules, and lockout thresholds. Modern guidance in NIST SP 800-63B (Digital Identity Guidelines, Revision 3 and the draft Revision 4) has shifted away from forced periodic resets and complex composition rules, which empirical research showed pushed users toward predictable patterns. Today's recommended baseline is a minimum of 8 characters (15+ for privileged accounts), comparison against known-breached password lists such as Have I Been Pwned, and no mandatory rotation absent evidence of compromise. Effective policies also pair length with MFA, password managers, and rate limiting.
● Examples
- 01
An Active Directory fine-grained password policy requiring 14 characters and HIBP screening for Domain Admins.
- 02
A SaaS sign-up flow that rejects any password appearing in the Pwned Passwords API.
● Frequently asked questions
What is Password Policy?
A documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce. It belongs to the Identity & Access category of cybersecurity.
What does Password Policy mean?
A documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce.
How does Password Policy work?
A password policy defines the requirements an organization places on user-chosen secrets: minimum length, allowed character sets, screening against breached corpora, expiration rules, and lockout thresholds. Modern guidance in NIST SP 800-63B (Digital Identity Guidelines, Revision 3 and the draft Revision 4) has shifted away from forced periodic resets and complex composition rules, which empirical research showed pushed users toward predictable patterns. Today's recommended baseline is a minimum of 8 characters (15+ for privileged accounts), comparison against known-breached password lists such as Have I Been Pwned, and no mandatory rotation absent evidence of compromise. Effective policies also pair length with MFA, password managers, and rate limiting.
How do you defend against Password Policy?
Defences for Password Policy typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Password Policy?
Common alternative names include: Password rules, Credential policy.
● Related terms
- identity-access№ 795
Password
A secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
- identity-access№ 796
Password Entropy
A measure, in bits, of the unpredictability of a password — higher entropy means more guesses are required for an attacker to recover it.
- identity-access№ 884
Pwned Password
A password that has appeared in a known data breach and therefore must never be allowed as a user secret, as catalogued by Troy Hunt's Have I Been Pwned service.
- identity-access№ 797
Password Manager
An application that generates, stores, and autofills strong unique credentials, secured by a master passphrase and increasingly by passkeys.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- identity-access№ 009
Account Lockout
A control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks.