Have password policies done more harm than good?

Organizations implement a password policy to help users protect their passwords against misuse by others. These policies, however, have become increasingly demanding for the users. In September 2015, the UK cyber-security organization CESG brought a fresh attitude to password policy advice:

 ‘By simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.’


The different methods for strengthening passwords include:

  • Making broken passwords irrelevant by changing passwords frequently.
  • Not reusing a broken password.
  • Avoiding a pattern when creating passwords; otherwise, anyone who knows one password will be able to predict the next one.
  • Mixing characters of different types and having long passwords – making it difficult to crack a password by technical measures.

Despite these sensible measures, CESG advocates a simpler approach in a new guide, Password Guidance:(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf).

The advice aligns with that given by the US organization NIST in AGuide to Password Management from 2009.    

Both organisations recommend making users responsible for password security while acknowledging the natural limitations of human users.  When the password policies become too demanding many users will defend themselves with their own ways to cope, as using sticky notes :

But does a password policy decision have to be EITHER/OR? Why not BOTH/AND?


When confronted with ambitious cyber-security policies, some users protect themselves from forgetting a password by writing it on sticky notes easily visible to colleagues.

However, a good password self-service eliminates the concern that prompts such counterproductive measures by allowing users to reset the password without contacting the service desk. Developing users’ confidence they can ‘self-service’ successfully is vital. Please see our ‘5 steps to password self-service success.’


Our experience leads us to conclude that you can have strong password policies and, at the same time, have users respect the privacy of their passwords – as long as a good password self-service tool is available.

Self service

IDC Analyst view

Business case



Our clients