Support Tree Logo
Contact us

Password Policy

Get reliable IT support and cyber security for your London business.

Contact us today to find out how we can help.

What is a Password Policy?

A Password Policy is a defined set of rules and standards that govern how passwords are created, used, stored, and managed within an organisation.
Its purpose is to ensure that passwords provide an effective layer of protection against unauthorised access to systems, applications, and data.

A password policy typically defines:

  • Minimum password length.
  • Complexity requirements (or alternatives such as passphrases).
  • Password reuse restrictions.
  • Expiry or rotation rules.
  • Account lockout thresholds.
  • Secure storage and handling requirements.

Modern password policies are often combined with multi-factor authentication (MFA) and identity-based controls to reduce reliance on passwords alone.

Why Password Policies Matter for London Businesses?

London businesses are frequent targets of credential-based attacks such as phishing, brute-force attempts, and password spraying.
Weak or inconsistent password practices remain one of the most common causes of data breaches across all industries.

A strong password policy helps London organisations to:

  • Reduce the risk of account compromise and unauthorised access.
  • Protect sensitive client, financial, and personal data.
  • Meet compliance obligations under GDPR, FCA, ISO 27001, and NHS DSPT.
  • Support secure remote and hybrid working.
  • Create consistent security standards across all users and systems.

For Managed IT Support and Cyber Security providers like Support Tree, password policy design is a foundational control within identity security and access management.

Key Objectives of a Password Policy

  • Account Protection: Prevent unauthorised access to systems and data.
  • Consistency: Apply uniform standards across the organisation.
  • Risk Reduction: Minimise exposure to common credential attacks.
  • Compliance: Meet regulatory and audit requirements.
  • Usability: Balance security with user experience.
  • Security Awareness: Encourage better password behaviour among users.

Common Password Policy Components

  1. Minimum Length: Typically 12–14 characters or more.
  2. Passphrases: Encouraging long, memorable phrases over complex strings.
  3. Password Reuse Restrictions: Preventing reuse of old or breached passwords.
  4. Account Lockout Rules: Locking accounts after repeated failed attempts.
  5. Password Expiry: Applied selectively, often for privileged or high-risk accounts.
  6. Secure Storage: Passwords must be hashed and never stored in plain text.
  7. Privileged Account Rules: Stronger controls for admin and service accounts.

Modern guidance increasingly favours long passphrases + MFA over frequent forced password changes.

How are Password Policies Enforced?

Password policies are enforced through:

  • Identity platforms and directory services.
  • Operating systems and endpoint management tools.
  • Cloud application security settings.
  • Privileged Access Management (PAM) solutions.

They are often integrated with:

  • MFA and conditional access.
  • Breached password detection.
  • Login monitoring and alerting.
  • Access reviews and audits.

This ensures password controls remain effective and enforceable across all environments.

Best Practices for Managed Password Policies

  • Use Long Passphrases: Encourage length over complexity.
  • Enforce MFA Everywhere Possible: Reduce reliance on passwords alone.
  • Block Known Breached Passwords: Prevent use of compromised credentials.
  • Limit Password Expiry: Avoid frequent forced changes for standard users.
  • Apply Stronger Rules to Admin Accounts: Separate and tightly control privileged access.
  • Educate Users: Guide secure password creation and storage.
  • Review Regularly: Update policies as threats and guidance evolve.

Support Tree helps London organisations design and implement modern password policies aligned with Zero Trust and identity-first security principles.

Risks of Weak Password Policies

  • Phishing Success: Easily guessed or reused passwords are compromised.
  • Password Spraying Attacks: Attackers test common passwords at scale.
  • Account Takeover: Stolen credentials grant direct system access.
  • Data Breaches: Sensitive data exposed due to weak authentication.
  • Compliance Failures: Inadequate controls breach GDPR or FCA expectations.
  • User Frustration: Poorly designed policies encourage unsafe workarounds.

London Considerations

  • Financial Services: Strong password standards are essential for FCA-regulated access controls.
  • Legal Firms: Protect confidential case systems and email accounts.
  • Healthcare Providers: Secure access to patient and clinical systems under GDPR and NHS DSPT.
  • Professional Services: Reduce risk of client data exposure.
  • SMEs: Password policies provide a low-cost, high-impact security control.

In London’s credential-focused threat landscape, a well-designed password policy remains a critical baseline security measure.

Example in Practice

A London-based professional services firm experiences multiple phishing-related account compromises.
Support Tree reviews the firm’s authentication setup and implements a modern password policy using long passphrases, breached-password blocking, and mandatory MFA.
Admin accounts are separated and protected with stricter controls.

Following the changes:

  • Account compromise attempts drop significantly.
  • User frustration decreases due to fewer forced resets.
  • Audit readiness improves.

The updated password policy strengthens security while maintaining productivity and compliance.

Support Tree Logo

IT Support and Cyber Security for Businesses in London.

We’ve been helping people just like you for over 22 years.

CE_ Badge - Colour
CE_ Plus_Badge - Colour
Menu
Useful Links
Get in Touch
Locations
Show More
Copyright© 2025 Support Tree. All rights reserved. Website by Hawkeye Design
Facebook-f X-twitter Linkedin-in Youtube