ESGComplete

Compliance guide

Password Policy Template

A password policy sets the rules for how your people create, store and protect passwords, and where multi-factor authentication is required. This guide gives you a free, modern (NIST-aligned) template and example, plus a done-for-you option.

Get it done for you->See the template

Last updated

Key takeaways

  • A password policy reduces the most common cause of breaches: weak, reused or stolen credentials.
  • Modern guidance (NIST) favours longer passphrases and MFA over forced frequent changes and complex character rules.
  • It usually sits under your cyber security policy as a supporting document.
  • It's a standard line item in customer security questionnaires.

What a password policy covers

A password (or password management) policy tells everyone how to handle the credentials that protect company accounts and data. It covers minimum length, where multi-factor authentication is mandatory, how passwords are stored, and what to do if one is compromised.

Good password rules have changed. Modern guidance, led by NIST, favours long passphrases and multi-factor authentication over the old habit of forcing complex passwords that change every 30 days, which tends to push people toward weak, predictable patterns.

This is general guidance, not security advice. Align the specifics to the framework your customers reference (NIST, ISO 27001, Cyber Essentials, Essential Eight).

Modern vs outdated password rules

If your policy still mandates monthly changes and special characters, it's working against you. A quick comparison:

RuleOutdated approachModern (NIST-aligned)
Length8 characters minimum12+ characters / passphrases
ComplexityForce symbols & numbersEncourage length, not symbols
ExpiryChange every 30-90 daysChange only on compromise
ReuseNot addressedBlock reuse; screen against breach lists
Extra protectionOptionalMFA required on key accounts
StorageUp to the userApproved password manager

What to include: password policy template structure

  1. Purpose and scope, why it exists and which accounts and people it covers.
  2. Password requirements, minimum length, passphrase guidance, and screening against known breached passwords.
  3. Multi-factor authentication, which systems require MFA (email, admin, remote access, finance).
  4. Password storage, use of an approved password manager and a ban on sharing or writing down passwords.
  5. Account types, stronger rules for admin/privileged and service accounts.
  6. Compromise response, what to do if a password may have been exposed.
  7. Responsibilities and review, who owns the policy and how often it's reviewed.
The single highest-impact rule is requiring MFA on email and admin accounts. Make that non-negotiable in your policy.

Download the editable password policy template

Add your email and we'll send the password policy template in Word and PDF, with modern, NIST-aligned default settings you can adjust.

Frequently asked questions

Is this password policy template free?+
Yes. The structure, the sample rules and the comparison are free to use. A tailored, done-for-you version is the only paid option.
Should passwords still expire regularly?+
Modern guidance (NIST) recommends against forced periodic changes for general users, because it leads to weaker, predictable passwords. Change passwords when there's evidence of compromise, and rely on length plus MFA instead.
Is MFA really necessary?+
Yes. Multi-factor authentication is one of the most effective controls against account takeover and is expected by most security reviews. Require it at least on email, admin and remote-access accounts.
How does this relate to my cyber security policy?+
The password policy is a supporting document that sits under your overarching cyber security policy. Many businesses keep the two separate so the password rules are easy to find and update.

Prefer your password policy done for you?

Tell us a little about your systems and we'll prepare a tailored, modern password policy with MFA requirements mapped to your accounts.

Requests for the password policy are reviewed and prepared manually, we'll follow up by email.

Related guides

Cyber Security Policy Template->The overarching policy this sits under.Access Control Policy Template->Who can access what, and least privilege.Data Security Policy Template->How information is classified and protected.Incident Response Policy Template->What to do when something goes wrong.