Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Password Security · Download

Password Security Checklist

A practical, printable checklist covering the core credential-security controls every organization should have in place.

IT KORR Knowledge Center

Password Security Checklist

A practical, printable checklist covering the core credential-security controls every organization should have in place.

Individual Password Practices

  • Every account uses a unique password — no password is reused across two or more services.
  • Passwords are at least 12 characters, generated randomly or chosen as a random multi-word passphrase.
  • All passwords are stored in an approved password manager, not in browsers, spreadsheets, or written notes.
  • Multi-factor authentication is enabled on every account that supports it, prioritizing email and financial accounts first.

Organizational Controls

  • A written password policy exists and is reviewed at least annually.
  • Minimum password length is enforced at 12+ characters with no mandatory composition rules.
  • New passwords are screened against known-breached password lists.
  • MFA is enforced for all users, with no standing exclusions beyond documented, monitored break-glass accounts.
  • Legacy authentication protocols that bypass MFA are disabled.
  • A company-provisioned password manager is deployed and SSO-integrated for automatic offboarding.
  • Account lockout is configured after a reasonable number of failed attempts.
  • Vendor default credentials are changed before any system goes into production.

Privileged & Service Accounts

  • Administrative accounts are separate from standard user accounts.
  • Privileged accounts use hardware-backed or phishing-resistant MFA where supported.
  • Service account credentials are fully random, stored in a secrets manager, and never memorized or shared verbally.

Related Resources

  • NIST Password Guidelines — /knowledge-center/cybersecurity/password-security/nist-password-guidelines
  • Password Manager Guide — /knowledge-center/cybersecurity/password-security/password-manager-guide
  • Password Policy Generator — /tools/password-policy-generator

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Password Security Hub for the reasoning behind each recommendation, or use the Password Policy Generator for a fully configurable policy document.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT