How to Build a Password Policy That Actually Gets Followed
A password policy nobody follows is worse than no policy — it creates false confidence. Here's how to build one your team will actually stick to.
Most South African businesses have some version of a password policy. It was written years ago, emailed to staff once, and now lives forgotten in a shared folder nobody opens. Meanwhile, half your team is using "Password1!" across every system, and nobody's noticed. Yet.
The problem isn't that people don't care about security. The problem is that most password policies are written for compliance, not for humans. They're long, vague, and ask staff to do things that make their working day harder without explaining why. This article will show you how to build something different.
Why your current password policy probably isn't working
The traditional password policy asks staff to:
- Use a minimum of 8 characters
- Include uppercase, lowercase, numbers, and symbols
- Change passwords every 90 days
- Never reuse old passwords
In theory, this sounds secure. In practice, it produces passwords like "Summer2024!" — which is highly predictable, easy to crack, and immediately written on a sticky note under the keyboard. Forced complexity and forced rotation are outdated approaches that the UK's National Cyber Security Centre and NIST (the US standards body) have both moved away from in recent years.
What actually works: the three pillars
Pillar 1: Length over complexity
A passphrase like "coffee-monday-blue-lamp" is far more secure than "P@ssw0rd!" and infinitely easier to remember. Modern password cracking tools are optimised for the complexity patterns humans use — substituting 0 for O, @ for A, ! for I. They struggle far more with long, random passphrases.
Your policy should mandate a minimum of 14 characters and actively encourage passphrases. Drop the mandatory complexity requirements that produce predictable patterns.
Pillar 2: Multi-Factor Authentication (MFA) everywhere
No password policy — however well-designed — is as effective as MFA. Even if a password is compromised, MFA stops the attacker. For any business-critical system — email, financial software, cloud storage, remote access — MFA should be non-negotiable and technically enforced, not just requested.
Microsoft reports that MFA blocks 99.9% of automated account attacks. It's the single most impactful security control available to any SME.
Pillar 3: A password manager for your team
The reason people reuse passwords is simple: nobody can remember 30 unique, strong passwords. The solution is a business password manager. Tools like Bitwarden, 1Password, or LastPass Teams allow staff to generate and store unique, strong passwords for every system without memorising anything beyond a single master password.
A password manager eliminates password reuse across your entire organisation at a cost of a few hundred rand per month. It's one of the highest-return security investments available to an SME.
Writing the policy itself
The policy document matters less than the culture and tooling around it. But when you do write it, keep these principles in mind:
If your policy is longer than one page, it won't be read. State the requirements clearly, explain the why in a single sentence for each, and stop.
Don't write "non-compliance may result in disciplinary action." Write "if your account is compromised because of a weak or reused password, it puts every client's data and every colleague's account at risk." Make it real.
If following the policy requires more effort than ignoring it, people will ignore it. Providing a password manager removes the friction. Automating MFA enforcement removes the choice. Good policy design removes the need for willpower.
What to do when an employee leaves
One of the most overlooked aspects of password security is offboarding. When an employee leaves — whether on good terms or not — their access should be revoked the moment they walk out the door. Not after their notice period. Not when IT gets around to it. Immediately.
Create a documented offboarding checklist: disable Active Directory account, revoke email access, remove from all cloud platforms, change any shared passwords the employee had access to. This should happen the same day as their last day, ideally before their last hour.
Testing your policy
A policy you've never tested is a policy you can't trust. Every six months, run a simple test: ask your IT provider to conduct a phishing simulation and credential audit. Find out how many staff would click a suspicious email, and whether any business accounts are using compromised passwords (you can check against breach databases). Use the results to train, not to punish.
The bottom line
Password security is not complicated. It's just easy to deprioritise until something goes wrong. The combination of long passphrases, MFA everywhere, and a business password manager will eliminate the vast majority of credential-based attacks against your organisation — at minimal cost and minimal friction for your team.
InfoServ Technologies helps businesses implement and enforce security best practices, including MFA deployment, password manager rollout, and staff awareness training. Talk to us about a free security assessment for your business.