NCSC guidance has moved away from forced password changes and complexity rules. This policy reflects current best practice: long passwords, a password manager, MFA, and no reuse.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
What good looks like
- Long passwords: minimum 14 characters, ideally three random words.
- Unique per account — no reuse across personal and work.
- Stored in the company-issued password manager, never in a spreadsheet, sticky note, or email.
- MFA required for every business account that supports it.
Multi-factor authentication
- MFA is mandatory for all admin accounts.
- Use an authenticator app or hardware key — not SMS — wherever the system supports it.
- Directors and finance staff are issued hardware security keys for highest-risk accounts.
Password manager
- Every employee has a [password manager (e.g. 1Password / Bitwarden)] account.
- Shared credentials live in shared vaults.
- The password manager itself is protected with a strong passphrase plus MFA or a hardware key.
Resets and recovery
- Password resets are not processed over the phone or by email request alone. The requester is verified via a second channel.
- Password reset links and codes expire within 15 minutes.
- If you suspect a password may have been compromised, change it from a clean device and tell [Named Manager].
When passwords change
Passwords are not forced to expire on a schedule. They are changed when:
- The account has been compromised (or may have been).
- The password has appeared in a known breach.
- An employee who knew a shared password has left.
Shared accounts
Shared accounts are discouraged. Where one exists, it lives only in the password manager's shared vault.
Review
Reviewed annually. Last reviewed: [date].
Tips for adoption
- Pair this with the weak passwords risk page for context.
- If you're still on forced 90-day rotations, tell staff why the change.
- Reach for hardware keys for directors before everyone.