Even with the right measures in place for employee and user access, it’s absolutely essential for companies of all sizes to have strong passwords and ensure their employees understand the importance of doing so.

A company may have the best security technology and measures in place, but if passwords aren’t strong or there isn’t a comprehensive password management process in place, there are potential risks.

Some of the biggest weaknesses even large corporations have regarding their IT security are their employees’ passwords.

So, what can be done to reduce the risk? The following are some key tips to help create an employee password policy that works.

Have a Written Policy

The most important thing businesses can do is write out their password policy, just as they would with any other policy.

The password policy needs to be clear and concise but also detailed.

Written policies are one of the best ways to make sure that everyone follows them because there’s no room for lack of clarity.

A password policy needs to have no gray area, and there are templates that can be followed from organizations like the Society for Human Resource Management. The SHRM template includes a defined objective, scope and outlines procedures that are to be followed.

It also features strict guidelines as to how to construct passwords, and what differentiates a weak versus a strong password.

Of course, it can’t be so complex that employees feel that it’s a burden to follow the policy. There needs to be a balance between security and realistic expectations.

Focus on the Entire Password Lifecycle

Even when employees are aware of how to create a strong password, it’s meaningless if they don’t know how to manage it.

Password policies need to address not just how to set up strong passwords, but how to avoid things like phishing attacks, which are one of the most common cyber attacks employees face.

External threats are constantly changing and evolving, so it’s the responsibility of businesses to make sure they update policies frequently to address these changes.


It’s not enough to just have a written policy in place—employees need to be trained on compliance and how to recognize and report potential threats or attacks. Employees should be trained on these topics not only during onboarding but throughout their time at a company.

Just as policies should be updated to reflect changing threats, so should training.

A lot of employees fall prey to phishing and other attacks simply because they don’t know the risks, and they don’t know what to watch for, but this is easy to deal with if companies focus on training and regularly keeping these topics at the forefront of discussion with employees.

Training needs to include detecting threats and the protocols that should be followed if a suspected threat is detected.

Finally, it’s so important for companies to be proactive when it comes to all issues relating to passwords and security. Buy-in needs to begin at the top to ensure that employees see how important passwords and IT security are to everyone within an organization. It needs to be reinforced often, and always be a top priority.