Password Security Playbook
Compromised credentials are the entry point for the majority of serious cyberattacks. This playbook defines what good looks like for password creation, storage, MFA, and governance — for every person in your organisation.
Password Creation Standards
A weak password is not better than nothing — it's a false sense of security. These are the minimum standards all staff must follow for any business system.
Minimum Length: 14 Characters
Length is the most important factor in password strength. 14+ characters exponentially increases the time needed for brute-force attacks. ACSC recommends 14 as the minimum.
Complexity Requirements
Passwords must include uppercase letters, lowercase letters, numbers, and at least one special character (!, @, #, $, %, etc). No single-word dictionary words.
Use Passphrases
A memorable passphrase (4+ random words) is both secure and usable. Example: Correct-Horse-Battery-Staple-7! — 30 characters, impossible to guess, easy to type.
No Reused Passwords
Each account must have a unique password. When attackers obtain a password from one breach, they immediately try it on email, banking, and Microsoft 365 — known as credential stuffing.
Password1!, Company2024!, or Summer2024. These are among the first patterns automated crackers try.
Multi-Factor Authentication (MFA)
MFA is the single most impactful control you can implement. Even if an attacker has your password, MFA prevents them from logging in. It is non-negotiable for all business systems.
Enable MFA on All Business Accounts
Microsoft 365, business banking portals, practice management software, and any system that holds client data must have MFA enabled. No exceptions.
Use an Authenticator App — Not SMS
Microsoft Authenticator or Google Authenticator are preferred. SMS-based codes are vulnerable to SIM-swapping attacks. Use an app wherever possible.
Never Approve Unexpected MFA Requests
If your Authenticator app shows a request you didn't initiate, deny it immediately. Someone has your password and is trying to log in. Report to IT immediately.
Mandate MFA via Conditional Access
Deploy Conditional Access policies in Entra ID to enforce MFA for all users on all applications. Block legacy authentication protocols that bypass MFA.
Require Phishing-Resistant MFA for Admins
Admin accounts must use FIDO2 hardware keys (YubiKey) or Windows Hello for Business — not push notifications, which are vulnerable to MFA fatigue attacks.
Monitor MFA Registration & Usage
Review MFA registration reports monthly. Any admin account without MFA is a critical finding. Alert on MFA method changes, particularly for privileged accounts.
Password Storage & Sharing
- Use an approved password manager (see Section 6) for all passwords
- Store recovery codes for MFA in a secure, offline location
- Use service account delegation tools instead of sharing credentials
- Change shared passwords immediately when a team member with access leaves
- Share your password with anyone — including IT staff or supervisors
- Store passwords in a browser on an unmanaged personal device
- Write passwords on sticky notes, notebooks, or unencrypted documents
- Send passwords via email, SMS, Teams, or Slack — even temporarily
- Store passwords in a spreadsheet, even a password-protected one
Password Expiry & Reset Policy
Microsoft and NIST have moved away from mandatory periodic password changes — forced rotation often leads to predictable patterns (Password1 → Password2). Instead, the focus is on long, unique passwords with MFA and reset triggered by risk signals.
Account Lockout Policy
Failed Login Threshold
Accounts should be locked after 10 failed login attempts. This prevents brute-force attacks while reducing lockout from accidental mistype.
Lockout Duration
Automatic unlock after 15 minutes for standard users. Admin accounts should require manual unlock by IT to prevent persistence by an attacker who triggered the lockout.
Observation Window
The failed attempt counter should reset after 15 minutes of no activity, preventing lockouts from slow, distributed password spray attacks.
Alert on Repeated Lockouts
Multiple lockout events on the same account in a short period is a sign of an active attack or password spray. IT should be alerted automatically.
Password Managers — Required for All Staff
A password manager is the only practical way to have unique, strong passwords for every account without writing them down or reusing them. All staff should use an approved password manager.
Microsoft Authenticator + Browser Integration
For M365 environments, Microsoft's built-in password management integrates natively with Entra ID and provides autofill on Edge and Chrome. Suitable for most SMB environments.
Bitwarden (Business)
Open-source, independently audited, with enterprise sharing and admin controls. Preferred choice for teams wanting a dedicated password management platform separate from Microsoft.
1Password (Teams/Business)
Well-established platform with strong security architecture. Supports travel mode, secret keys, and team vaults. Good choice for businesses with compliance requirements.
Director & Business Owner Responsibilities
Password security isn't just an IT matter — it requires visible leadership and policy-level support. Directors and business owners have specific responsibilities.
Formalise the Password Policy
Adopt this playbook or a derivative as official company policy. Employees and contractors should acknowledge it in writing during onboarding.
Lead by Example
Executive accounts are the highest-value targets. Directors should use phishing-resistant MFA (hardware keys), password managers, and separate admin accounts — not just expect this of staff.
Fund Password Manager Deployment
Password managers typically cost $3–$6 per user per month. This is one of the highest-ROI security investments available. Approve the budget.
Include Password Policy in Staff Contracts
Password and credential security obligations should be explicit in employment agreements and contractor terms — creating accountability and enabling enforcement.
Training, Awareness & Policy Review
New Staff Induction
All new employees must complete password security training and acknowledge the policy before they're issued business credentials.
Phishing Simulation & Refresh
Run a quarterly phishing simulation. Staff who click should receive targeted training, not punishment. Track click rates as a metric over time.
Full Policy Review
Review this policy annually against current ACSC guidance, any incidents in the past year, and any changes to your IT environment or staff structure.
Post-Incident Briefing
After any credential-related security incident — internal or industry-wide — run a team briefing. Use real examples without blame to reinforce the stakes.
Want to Deploy These Controls?
Melbits can configure MFA, Conditional Access, and password management for your M365 environment. Book a free review and we'll show you where your biggest gaps are.