IT KORR Knowledge Center
Password Security Checklist
A practical, printable checklist covering the core credential-security controls every organization should have in place.
Individual Password Practices
- Every account uses a unique password — no password is reused across two or more services.
- Passwords are at least 12 characters, generated randomly or chosen as a random multi-word passphrase.
- All passwords are stored in an approved password manager, not in browsers, spreadsheets, or written notes.
- Multi-factor authentication is enabled on every account that supports it, prioritizing email and financial accounts first.
Organizational Controls
- A written password policy exists and is reviewed at least annually.
- Minimum password length is enforced at 12+ characters with no mandatory composition rules.
- New passwords are screened against known-breached password lists.
- MFA is enforced for all users, with no standing exclusions beyond documented, monitored break-glass accounts.
- Legacy authentication protocols that bypass MFA are disabled.
- A company-provisioned password manager is deployed and SSO-integrated for automatic offboarding.
- Account lockout is configured after a reasonable number of failed attempts.
- Vendor default credentials are changed before any system goes into production.
Privileged & Service Accounts
- Administrative accounts are separate from standard user accounts.
- Privileged accounts use hardware-backed or phishing-resistant MFA where supported.
- Service account credentials are fully random, stored in a secrets manager, and never memorized or shared verbally.
Related Resources
- NIST Password Guidelines — /knowledge-center/cybersecurity/password-security/nist-password-guidelines
- Password Manager Guide — /knowledge-center/cybersecurity/password-security/password-manager-guide
- Password Policy Generator — /tools/password-policy-generator