How to Build a Company Password Policy That People Actually Follow
Policies that are too restrictive get worked around. Here is how to design a password policy with realistic compliance rates.
Why most password policies fail
Password policies fail for two reasons: they're too complex to follow without a password manager, and they're written for compliance rather than actual security. A policy that requires 12 characters, three character classes, a symbol, no repeats, no dictionary words, and rotation every 90 days will produce "Summer2024!" from every employee and nothing else. Writing the policy is not the same as improving security.
The policy framework that actually works
Start with NIST 800-63B as the foundation, which means: prioritise length over complexity, remove arbitrary rotation requirements, mandate a password manager, and require breach checking for new passwords. PassGeni's Policy Generator produces a NIST-aligned written policy in two minutes — use it as your base document.
The three things that matter most
1. Mandate a password manager. Every other policy requirement is enforceable only if employees can actually comply with it. Without a password manager, long unique passwords are impossible to manage, and your policy is aspirational fiction. Choose a team manager (Bitwarden, 1Password Teams, Keeper), pay for it centrally, and make installation a day-one requirement.
2. Set realistic minimums that the password manager makes easy. 16 characters minimum for all accounts. Must be unique per site. Generated by the password manager, not invented by the user. These requirements are trivially easy with a password manager and completely impossible without one — which is why they must come as a bundle.
3. Define what to do when compromised. Your policy needs a response playbook, not just rules. What does an employee do if they think their credentials are compromised? Who do they tell? How fast? What gets rotated? The absence of this is what turns incidents into breaches.
Enforcement without surveillance
Password policy enforcement via surveillance (keyloggers, periodic password audits) is both ineffective and corrosive to trust. Effective enforcement comes from tooling: a mandated password manager that enforces generation rules, SSO where possible to reduce the number of individual credentials, and a password audit tool that checks for weak or reused credentials during onboarding and annual reviews.