Service Desk
01603 554000
Office Hours
Weekdays 8:30am to 4:30pm

How is your network password policy?


As your IT provider we can help you to set a strong password policy – just one line of defence against intruders to your network and a requirement (to protect data) of GDPR compliance. This can be enforced on your server to control many different password requirements, such as complexity, length and lifetime. Some articles we have seen suggest that passwords should be up to 64 characters long, whilst others suggest length is counter productive! This article summarises our view on recommended password policy for your network users:

Password Complexity & Length

It is common for us to enforce passwords to include a variety of symbols, such as at least one number, both uppercase and lowercase letters, and one or more special characters. However, the benefit of these rules is secondary. It is the length of the password that is a primary factor in password strength. As a result we recommend passwords that are at least ten characters long. This sits between a Microsoft recommendation of eight characters and a NIST recommendation of up to 64 characters. The time it takes to crack a basic eight character password using only letters could be under five hours but the time it takes to crack a complex ten character password could be three thousand years.

Our recommendation is to enforce passwords that are at least ten characters long and require some level of complexity.

Password Age & History

Password guidance has historically suggested users change passwords every so often – sometimes as frequently as monthly. Most advice now suggests users should not be asked to change their passwords this frequently, changing them only when there is a potential threat or suspected unauthorised access. The only issue we have with this guidance is that where users share passwords, it’s possible unauthorised access could occur in an undetected way and so we still recommend occasional password expiration to counter this threat. In addition, previously used passwords should not be “re-used” and so older passwords will be blocked too.

Our recommendation is to enforce passwords that are at most 180 days old and have not been used before.

Password Content

It is ridiculous to set a password that can be easily guessed. Passwords such as “password”, “qwerty” or even dictionary words like “badger” serve no useful purpose and should not be used. Even appending a single digit e.g. “password1” is not considered  secure. There are a number of ways you can create a secure but easy to remember password, here are a couple:

The Sentence Based Password

You might find it easier to remember a sentence like “The first house I bought had smelly drains and was number 29!” You can turn that sentence into a password by using the first character of each word, so your password would become TfhIbhsdawn29! This is a strong password at 14 digits, with uppercase, lowercase numbers and a special character included.

The Passphrase Based Password

Think of four random and unrelated words, or if you can’t do that get yourself a dictionary or any book and flick to a random page and put your finger in a random place to select them. Once you have those words insert a hyphen and change some letters to numbers and add an extra character. For example “stations method action where” becomes “Stat10ns-Meth0d-Act10n-Where!” a long password but one that is easier to remember than a truly random password.

User Education

As a final note, all of this password policy becomes useless if users write their password down on paper and stick it to their computer. It’s like leaving the keys to your car in the car door and then going out for a walk. Make it a part of your network policy that:

  • Users must never write their password down anywhere, so they should set a strong password using techniques such as those described above.
  • If users have a lot of different passwords they should use a password manager such as KeePass or LastPass, and protect those passwords with a very strong password.
  • Users must never share their password with anyone except their IT provider. If a superior needs access to your data this should be logged as an IT issue so the reasons for it are documented.
  • If you suspect that someone else may know your current password, change it immediately using the CTRL-ALT-DEL method.
  • Don’t allow anyone to see you type your password.
  • Avoid reusing the same password for multiple systems.

Need More Support?

If you run a small business in Norfolk and computer support in setting your users password policy, please don’t hesitate to contact us.