Essentials explained
How to build a strong password policy
Discover how to create strong passwords to keep your business’s data secure and protect against cyber attacks.
This simple guide will outline how to get the best protection by using complex passwords, password managers and more.
October 08, 2025
5 minutes
Having a strong password policy is one of the most simple and effective ways of protecting your business from cyber criminals. Weak passwords expose you to a wide range of potentially damaging threats.
The safest passwords are at least 12 characters long and use a mixture of uppercase and lowercase letters, numbers and special characters. Using three random words can generate strong passwords that are easy to remember.
Password managers, which generate strong passwords and store them safely for all your accounts, are useful for people who must remember multiple logins. Educate your employees on how to use them, and on good password hygiene in general.
Knowing where to start in improving your cyber resilience can feel overwhelming for many small businesses. An effective way to begin to strengthen your cyber security is to ensure that everyone uses strong passwords. Implementing and maintaining good password security is free and relatively simple.
Weak passwords are easy to figure out and can expose your company to all kinds of serious threats. These might range from ransomware attacks that could shut down your entire business, to enabling criminals to access your bank accounts and other financial records.
Make sure you have adequate password protection for everything you need to keep safe.
Here’s how to go about it.
Educate your employees on password policy, including what (and what not) to do, why it’s important and the risks they should be aware of. Back this up with processes and technical controls that reduce the risks of a cyber-attack and detect and prevent password misuse.
Password policy principles
A strong password is based on the following principles:
- Length: at least 12 characters, but the longer the better.
- Complexity: a mixture of uppercase and lowercase letters, numbers and symbols (such as #, @ or %) makes it harder for people to guess or for automated programs to crack.
- Uniqueness: using a different password for every account means that if a criminal steals a password for one account, they won’t be able to use it anywhere else.
You should also make sure your staff avoid common or obvious passwords that would be easy to guess.
For example:
- Frequently used passwords such as 'password’, ‘hello’ or ‘admin’.
- Passwords that include the user’s name, family names or date of birth.
- Simple sequences of letters or numbers, such as '12345’, ‘abcdef’ or ‘qwerty’.
Use three random words
For many of us, using multiple passwords that are long and complex can be a burden. We are likely to forget them and end up wasting time by having to reset them. Consequently, it’s tempting to resort to passwords that are too simple or to use the same password for everything.
A good tip is to follow the National Cyber Security Centre (NCSC) password guidance, which recommends using three random words. That way, passwords will automatically be more complex and are likely to become easier to remember.
Password hygiene
There are plenty of other helpful measures you can take to help improve password safety in your business.
The most effective are:
- Use multi-factor authentication (MFA)
This is when you are sent a code to log in, usually via text or email. This makes it much harder for a criminal to access an account. Most online services (such as banking or email) will offer you the option of enabling MFA these days, so make sure you have it switched on. - Change passwords
But only if someone suspects their password may have been exposed in any way, like if they’ve used the same password elsewhere. Otherwise, asking your team to regularly change their passwords tends to result in them using simpler ones that are easier for hackers to work out. - Educate everyone
Ensure your employees undergo cyber security training that covers the importance of good password hygiene, how to change their password and how to use a password manage.
Key takeaways
Strong password hygiene is one of the simplest ways to protect your business.
- Use long, complex passwords that will be hard to guess or difficult for an automated program to crack.
- Encourage the use of three random words. It’s an effective way to make strong passwords that are easier to remember.
- Password managers are a good option for people who need to remember login details for multiple accounts.
