Many consumers, and many employees, have dozens of passwords for access to different systems, services, networks, device, and terminals. From a corporate perspective, many companies have at least two policies that impact passwords – a password selection or management policy, and a security policy that may include how passwords maintained by the company are secured

A password selection or management policy discusses an organization’s standards for password assignment, and password strength (i.e., how complex the password that a user selects must be in order to avoid the password from being stolen or guessed). For organizations that maintain lists of passwords, several states have enacted legislation that require the organization to “implement and maintain reasonable security measure to protect” the username and passwords that are in their possession. As a result, whether the organization maintains a system that allows third party users to create password controlled accounts is often a factor that is considered when conducting a data security assessment. One of the primary concerns is that even if the service or database for which the username and password are used may not be sensitive, or house other categories of sensitive information, people often re-use their usernames and passwords for multiple services or systems. As a result, if a bad actor is able to obtain a username and password for an individual that relates to a non-sensitive system maintained by one organization, the bad actor may be able to leverage those credentials to try to access a sensitive system held by a different organization.


Number of states that arguably require that an organization protect username and passwords within its possession.1


Number of people that use one of the top 25 “worst” passwords (i.e., most easily guessed by hackers).”2


Number of people that one study found still use the password “123456.”3


Percentage of hacking-related data breaches that leveraged a weak or stolen passwords.4

What to think about when designing or reviewing, a password selection or use policy:

  1. The more characters required for a password generally the more difficult it is for an attacker to guess. Consider whether it is practical to require a long password (e.g., twelve or more characters).
  2. If only alphabetic characters are allowed there are 26 different combinations that an attacker needs to consider for each character of the password. Allowing (or requiring) a larger character set increases the number of possible combinations. As a result consider making passwords case sensitive (i.e., increasing the range of possibilities by an additional 26 characters), and utilize numbers (increasing the range of possibilities by an additional 10 characters) or symbols (further increasing the range of possibilities for each character).
  3. Avoid reusing the same password over and over again for different websites or databases. Requiring a unique password configuration from users / employees may help prevent the reuse of passwords permitted by other websites.
  4. Two-factor authentication refers to the practice of requiring two separate forms of identification when logging into a system. While one of those forms may be a password, the second form would ideally be unrelated to a knowledge-item of the user. For example, a one-time generated token sent to the users mobile device could serve as the second factor. Consider whether using a two-factor authentication system is practical.

If you lose an individual’s username and password, it may trigger, in some jurisdictions, a requirement that you notify the individual and/or a state regulator.