🔑 Password Policy for Small Businesses: A Practical Guide
On this page
Most small businesses don't have a written password policy — and that's exactly why they're targeted. 43% of cyber attacks target SMBs, but only 14% are prepared.
The Four Pillars of a Business Password Policy
An effective policy rests on four principles: password creation standards, credential storage and sharing, multi-factor authentication, and lifecycle management.
Minimum Password Standards
NIST SP 800-63B compliant: 14+ characters, 3 of 4 character sets, no dictionary words, no personal information, no keyboard patterns.
Implement a Password Manager
Choose a business-grade manager with admin console, shared vaults, role-based access, and audit logs. Create shared vaults by department.
Multi-Factor Authentication: Where to Enforce
MFA must be mandatory for email (hardware key), financial accounts (TOTP app), and cloud platforms. Social media should use MFA where available.
Onboarding and Offboarding
On offboarding, revoke password manager access immediately. Rotate ALL credentials the employee had access to. Disable SSO sessions. Remove MFA devices.
Auditing and Enforcement
Monthly automated checks for weak/reused/old passwords. Quarterly review of access logs. Annual policy refresh against current NIST guidelines.
Business Password Policy Template
You can adapt this template for your organisation:
Section 1: Scope — All employees, contractors, and third parties with access to company systems.
Section 2: Password Creation — Minimum 14 characters. Use a passphrase of 5+ random words. No personal information. No reuse across business accounts. All passwords generated using a CSPRNG-based tool like StrongPassFactory.
Section 3: Storage — Company-approved password manager only. No shared spreadsheets, sticky notes, or unencrypted text files.
Section 4: MFA — Required for all accounts. Hardware security keys for privileged access. TOTP authenticator apps as secondary.
Section 5: Rotation — Passwords changed immediately on compromise notification. No forced rotation otherwise (per NIST SP 800-63B).
Section 6: Enforcement — Automated audits. Violations reported to manager. Repeated violations escalate to HR.
Implementing Your Policy
- Set up a password manager with team sharing
- Configure Kaspersky password assessment on all workstations
- Enable MFA on all business accounts
- Run credential audit against Have I Been Pwned
- Document the offboarding procedure
- Schedule quarterly policy reviews
FAQs
How long should a business password be? NIST SP 800-63B specifies 15+ characters as the minimum. StrongPassFactory defaults to 20 characters for safety.
How often should passwords be changed? NIST SP 800-63B prohibits forced periodic rotation. Only change on actual or suspected compromise.
What's the best password manager for small businesses? Bitwarden (open source, affordable teams plan), 1Password (polished UX), or Keeper (enterprise features at SMB pricing).
Sources
- NIST SP 800-63B Digital Identity Guidelines (2025)
- Verizon 2025 Data Breach Investigations Report
- NCSC Small Business Guide: Cyber Security