Passwords have become ubiquitous such that many consumers, and many employees, may have dozens of passwords that permit them to access dozens of different systems, services, networks or terminals. From a corporate perspective, many companies have at least two policies that impact passwords – a password selection or management policy, and a security policy that may include how passwords maintained by the company are secured.

A password selection or management policy discusses an organization’s standards for password assignment, and password strength (i.e., how complex the password that a user selects must be in order to avoid the password from being stolen or guessed). For organizations that maintain lists of passwords, several states have enacted legislation that require the organization to “implement and maintain reasonable security measures to protect” the username and passwords that are in their possession. As a result, whether the organization maintains a system that allows third party users to create password controlled accounts is often a factor that is considered when conducting a data inventory or a data security assessment. One of the primary concerns is that even if the service or database for which the username and password are used may not be sensitive, or house other categories of sensitive information, people often re-use their usernames and passwords for multiple services or systems. As a result, if a bad actor is able to obtain a username and password for an individual that relates to a non-sensitive system maintained by one organization, the bad actor may be able to leverage those credentials to try to access a sensitive system held by a different organization.


Percentage of people that use one of the top 25 “worst” passwords (i.e., most easily guessed by hackers). 1


Percentage of people that one study foundstill use the password "123456." 2


Percentage of hacking-related data breaches thatleveraged a weak or stolen password. 3

What to think about when designing or reviewing a password selection or use policy:

  1. The more characters required for a password generally the more difficult it is for an attacker to guess a password. Consider whether it is practical to require a long password (e.g., twelve or more characters).
  2. If only alphabetic characters are allowed there are only 26 different combinations that an attacker needs to consider for each character of the password. Allowing (or requiring) a larger character set increases the number of possible combinations. As a result consider making passwords case sensitive (i.e., increasing the range of possibilities by an additional 26 characters), alphanumeric (increasing the range of possibilities by an additional 10 characters), and include symbols (further increasing the range of possibilities for each character).