Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Comprehensive Password Policy Best Practices for 2025

Password Policy Best Practices 2025 for Strong Security

about the author

Share this post

A strong password policy is often the first line of defence against cyber attacks, yet many organisations continue to follow outdated guidelines that expose them to significant risk.

According to Verizon’s 2020 Data Breach Investigations Report, lost or stolen credentials remain the number one hacking tactic used by malicious actors to perpetrate data breaches, with compromised or weak passwords responsible for 35% of all breaches.

Password security has never been more important, especially with large numbers of the workforce continuing to work from home. The threat surface has expanded so it’s crucial that organisations update their password policy to educate staff on how to create strong passwords and provide a robust defence against cyber threats.

Previous guidance on password security tended to focus on uniqueness, complexity, minimum password length, and regular password changes; however, the latest advice has moved away from this as many of these password practices could in fact cause users to create weaker instead of stronger passwords.

The National Institute of Standards and Technology (NIST) has addressed the importance of password policies by issuing NIST Special Publication 800-63B (Digital Identity Guidelines – Authentication and Lifecycle Management). The publication provides up to date advice for organisations on how they can improve the authentication process and reduce the risk of a security breach.

Microsoft and the National Cyber Security Centre (NCSC) have all also updated their guidance on passwords to help organisations implement password policies that can defend against evolving threats and support the ways in which people naturally work.

To ensure your password policy is effective and meets the standards recommended by NIST, Microsoft, and the NCSC, we’ve compiled all the latest guidelines into actionable advice that your organisation can use to improve password security.

Password Policy Best Practices

Increase password length and reduce the focus on password complexity

Password Policy - Length vs Complexity

In the past, advice on password security has focused heavily on the creation of complex passwords, but this often leads to the reuse of existing passwords with minor modifications. According to the National Cyber Security Council: “Complexity requirements place an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero or using special characters) to meet the required ‘complexity’ criteria.

Attackers are familiar with these strategies and use this knowledge to optimise their attacks.” Password length is often a much more important factor as a longer password is statistically more difficult to crack. NIST and Microsoft advise a minimum length of 8 characters for a user-generated password, and to bolster security for more sensitive accounts, NIST recommends organisations set the maximum password length at 64 characters. This allows for the use of passphrases. A passphrase is a password composed of a sentence or combination of words. It helps users memorise longer passwords and makes it more difficult for hackers to guess using brute force.

Screen passwords against blacklists

Password reuse is a common problem and according to a Google/Harris survey, 52% of people reuse the same password across multiple accounts. This risky behaviour has led to a huge surge in credential stuffing attacks as hackers attempt to cash-in on the billions of compromised credentials available to buy on the dark web. Using these stolen credentials, hackers can attempt to access additional user accounts using the same compromised password.

To combat this threat, NIST recommends that organisations utilise software that screens passwords against a blacklist that includes dictionary words, repetitive or sequential strings, passwords stolen in previous breaches, commonly used passphrases, or other words and patterns that hackers could guess. This screening process helps users avoid selecting passwords that pose a risk to security and will flag up if a previously safe password becomes exposed in the future.

Eliminate regular password resets

Password Policy Best Practices - Password Resets

Many organisations require their employees to change their passwords at regular intervals, often every 30, 60 or 90 days. However, recent studies have shown that this approach to password security is often counter productive and can in fact make security worse. Typically, users will have multiple passwords that they need to remember, so when they are forced to do a periodic reset, they will resort to predictable behavioural patterns such as choosing a new password that is only a minor variation of the old one.

They may update it by changing a single character or adding a symbol that looks like a letter (Such as ! instead of I). If an attacker already knows the user’s existing password, it won’t be too hard to crack the updated version. NIST recommends removing this requirement to make password security more user-friendly, and Microsoft advises: “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

Allow password copy and paste

NIST has revised its previous guidance and now recommends the use of ‘copy and paste’ when typing in a password. This helps promote the use of password managers which undoubtedly increases security by enabling users to generate longer passwords which are more difficult to crack.

Limit Password attempts

Using brute-force attack, hackers may attempt to breach an account by systematically logging in and trying every possible combination of letters, numbers, and symbols until they work out the right password combination. One of the best ways to defend against this type of attack is limiting the number of password attempts that any single IP address can make within a certain time frame.

Don’t use password hints

Password hints are frequently used by organisations to help their users remember complex passwords. It may be a simple prompt or the user is required to answer a personal question such as ‘what city were you born in?’ or ‘What is the name of your first school?’. The answers to many of these questions can easily be found on social media by a determined attacker. This undermines security which is why NIST has advised organisations to drop this practice as it could potentially increase the chance of a breach.

Use Multi-Factor Authentication

Password Policy Best Practices - MFA

Multi-factor authentication (MFA) is one of the most effective ways to provide additional protection to a password-protected account. According to Microsoft, accounts are more than 99.9% less likely to be compromised if MFA is enabled. However, a recent GetApp survey found only 55% of respondents use two-factor authentication by default for their business and personal accounts when it is available.

There are three types of authentication that can be used:

  • Something you know: A password, PIN, postcode, or answer to a question (ex: mother’s maiden name).
  • Something you have: A token, phone, credit card, SIM, or physical security key.
  • Something you are: Biometric data such as a fingerprint, voice, or facial recognition.

Some of these verification methods are undoubtedly more secure than others but essentially it means that even if someone steals or guesses a password, they won’t be able to access the account without another authenticating factor.

Train staff on password best practice

There’s lots of conflicting advice on what constitutes a secure password so it’s crucial that your staff understand best practice and are fully versed on what your password policy requires of them. Security awareness training should educate staff on:

  • The risks of reusing the same passwords across home and work accounts
  • How to create strong and secure passwords
  • How to enable MFA
  • How to use an automated password manager to store passwords securely
Cyber Security Awareness for Dummies

Other Articles on Cyber Security Awareness Training You Might Find Interesting