[Company Name] handles passwords and account login. Follows current NCSC guidance." /> [Company Name] handles passwords and account login. Follows current NCSC guidance." /> Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Policy

Password Policy

How [Company Name] handles passwords and account login. Follows current NCSC guidance.

NCSC guidance has moved away from forced password changes and complexity rules. This policy reflects current best practice: long passwords, a password manager, MFA, and no reuse.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

What good looks like

  • Long passwords: minimum 14 characters, ideally three random words.
  • Unique per account — no reuse across personal and work.
  • Stored in the company-issued password manager, never in a spreadsheet, sticky note, or email.
  • MFA required for every business account that supports it.

Multi-factor authentication

  • MFA is mandatory for all admin accounts.
  • Use an authenticator app or hardware key — not SMS — wherever the system supports it.
  • Directors and finance staff are issued hardware security keys for highest-risk accounts.

Password manager

  • Every employee has a [password manager (e.g. 1Password / Bitwarden)] account.
  • Shared credentials live in shared vaults.
  • The password manager itself is protected with a strong passphrase plus MFA or a hardware key.

Resets and recovery

  • Password resets are not processed over the phone or by email request alone. The requester is verified via a second channel.
  • Password reset links and codes expire within 15 minutes.
  • If you suspect a password may have been compromised, change it from a clean device and tell [Named Manager].

When passwords change

Passwords are not forced to expire on a schedule. They are changed when:

  • The account has been compromised (or may have been).
  • The password has appeared in a known breach.
  • An employee who knew a shared password has left.

Shared accounts

Shared accounts are discouraged. Where one exists, it lives only in the password manager's shared vault.

Review

Reviewed annually. Last reviewed: [date].

Tips for adoption

  • Pair this with the weak passwords risk page for context.
  • If you're still on forced 90-day rotations, tell staff why the change.
  • Reach for hardware keys for directors before everyone.