Organization Name
Password and Credential Policy
Generated July 10, 2026
1. Purpose
This policy establishes the minimum requirements for creating, managing, and protecting passwords and passphrases used to access [Organization Name]'s information systems. Its purpose is to reduce the risk of unauthorized access resulting from weak, reused, or compromised credentials, and to align [Organization Name]'s credential practices with NIST SP 800-63B §5.1.1.2 (Memorized Secrets).
2. Scope
This policy applies to all employees, contractors, and third parties who access [Organization Name]'s systems, applications, or data using a password, passphrase, or PIN, across company-owned and personally owned devices used for business purposes.
This policy also applies to service accounts and privileged accounts, which are subject to the additional requirements described in Sections 4.9 and 4.10 respectively.
3. Definitions
- Password / Passphrase (Memorized Secret): A string of characters, or a sequence of words, used to authenticate a user's identity.
- Multi-Factor Authentication (MFA): An authentication method requiring two or more independent factors (something you know, have, or are) to verify identity.
- Privileged Account: An account with elevated permissions, such as system, network, or database administration access.
- Service Account: A non-human account used for application-to-application or system-to-system authentication.
- Compromised Password: A password known to have appeared in a public data breach or credential-leak corpus.
4. Requirements
4.1 Password Construction
- Minimum length: 12 characters.
- Maximum length: systems must support at least 64 characters.
- Passwords are not required to contain a specific mix of character classes. Length and screening controls (Section 4.6) are the primary strength requirement, consistent with modern password guidance.
- The full range of printable characters, including spaces, must be accepted by all systems in scope.
4.2 Passphrases
Multi-word passphrases are explicitly permitted and encouraged as an alternative to traditional passwords, provided the total length meets the minimum length requirement in Section 4.1. Words should be selected at random rather than composed as a common phrase or quotation.
4.3 Password Expiration and Rotation
Passwords are not required to be changed on a fixed calendar schedule. This approach is supported by current guidance provided that breached-password screening (Section 4.6) and multi-factor authentication (Section 4.5) are both enforced. A password must be changed immediately upon any evidence or suspicion of compromise, regardless of when it was last changed.
4.4 Password History
This policy does not mandate a minimum password history depth, provided breached-password screening (Section 4.6) is enforced at every password change.
4.5 Multi-Factor Authentication
Multi-factor authentication is required for all user accounts without exception, including remote access and any access originating from outside the organization's network. Legacy authentication protocols that do not support MFA must be disabled.
4.6 Prohibited Passwords
- Passwords known to appear in public breach or credential-leak corpora.
- Commonly used or default passwords (e.g., "password", "welcome1", "qwerty").
- Single dictionary words or predictable variations of dictionary words.
- The user's name, username, or other easily discoverable personal or organizational information.
4.7 Account Lockout
Accounts will be locked after 10 consecutive failed authentication attempts. Locked accounts will remain locked for a minimum of 15 minutes, or until unlocked through an approved identity-verification process, whichever is applicable to the system in question.
4.8 Password Reset Requirements
Password resets must include verification of the requester's identity through an approved method before a new credential is issued or a self-service reset is permitted. Security questions alone do not satisfy this requirement.
4.9 Service Accounts
- Service account credentials must be fully random, generated by an approved tool, and at least as long as the maximum length permitted by the target system.
- Service account credentials must be stored in an approved secrets manager, never in plaintext configuration files, scripts, or shared documents.
- Service account credentials must be rotated immediately upon suspected compromise or personnel change involving anyone with access to the credential.
4.10 Privileged Accounts
- Privileged accounts must meet a minimum length of 16 characters.
- Privileged accounts must use hardware-backed or phishing-resistant multi-factor authentication where technically supported.
- Administrative access must be performed through a dedicated privileged account, separate from an individual's standard user account.
5. Exceptions
Any exception to this policy must be documented, include a business justification and compensating controls, and be approved in writing by [Organization Name]'s designated security or IT leadership. Exceptions must be reviewed at least annually and revoked when no longer necessary.
6. Responsibilities
- IT/Security Team: Configures and enforces technical controls consistent with this policy; maintains breached-password screening and MFA infrastructure.
- Managers: Ensure staff under their supervision are aware of and comply with this policy.
- All Users: Responsible for creating compliant credentials, using an approved password manager, and reporting suspected credential compromise immediately.
7. Enforcement
Violation of this policy may result in disciplinary action up to and including termination of employment or contract, consistent with organizational HR policy and any applicable regulatory obligations. Technical enforcement is implemented through the identity platform(s) in use and audited periodically.
8. References
- NIST SP 800-63B §5.1.1.2 (Memorized Secrets)
- NIST SP 800-63B, Digital Identity Guidelines — Authentication and Lifecycle Management
- IT KORR Knowledge Center — Password Security: /knowledge-center/cybersecurity/password-security
9. Review Schedule
This policy will be reviewed at least annually, or upon a significant change to applicable regulatory requirements, a relevant update to referenced guidance, or a security incident involving credential compromise. Last generated: July 10, 2026.