Guide to best password policy

Challenges and solutions to secure corporate passwords

Password policy consists of three areas:

Strength or complexity requirements 


Account lockout


With a good password policy, it is difficult for attackers to guess or breach passwords. As passwords are used for authentication, it is crucial to protect users’ passwords. A strong password policy reduces the inherent risk of successful brute force attacks and mitigates the risk of users revealing or disclosing a password. 

What is a strong password? 


A strong password is difficult to guess! To help users create strong passwords, we force users to make passwords complex and of a certain minimum length. 

A strong password policy is efficient if it protects against hackers’ most popular methods. 

  • We need to protect accounts against SPRAY attacks where hackers try to get access with thousands of different passwords. A typical example of a password used by hackers in such a brute force attack against company ABC will be ABC2019 or 2019ABC. The hacker will also test combinations with user-ids and the month like JOEJ08. Good hackers have extensive statistics on the way users construct passwords.  
  • Another wellknown hacker strategy is to buy user-ids with passwords from data breaches from commercial web systemsHackers know that many users use the same password for private and professional use. Often the passwords are hashed, but using green tables hackers can join popular passwords with user-ids. Hackers simply put the 35,000 most popular passwords through the same hashing algorithms and then see where they get a hit. If the user then uses the same password the hacker has a hit! 


A good password policy with strong passwords will prevent users from making passwords that hackers can easily break! 

How do we implement strong passwords? 


In conclusion, use Active Directory password policy rules. This is however not enough, so you must add protection from supplementary services or products. 

The foundation is Active Directory’s password policy. When you set password policy to complex, Active Directory will require that 3 of the following 5 criteria are met: 

  • Alphabetic lowercase European languages
  • Alphabetic uppercase European languages 
  • Unicode alphabetic characters non-European languages 
  • Numeric characters (09) 
  • Special characters – not alphabetic 

You can specify a minimum length of a password. You can’t, however, specify a maximum length. Password history will make sure that the user cannot use the same password again for a number of changes. Together with minimum password agethis ensures the user will not change the password back to the current password. 

With AD password policy you can prevent users from using their names and user-id as part of the password. 

A password can be disclosed. To prevent the account being open forever, forced password expirations stop the misuse. You can define the password expiration in AD. 

As an example, a password like Abcd1234 lives up to the complexity requirements with 3 of the 5 criteria but will be tried by hackers! 


You need to make passwords even stronger than the AD password policy does, and you should consider additional help for users: 

Force special characters into the password. Special characters do not exist in names and periods and are very difficult to predict for hackers. 

Force 2 different changes from the last passwordThis will prohibit the changing of a single number in the password. A hacker can easily spot if there is a number and try numbers in succession, this rule prevents that issue. 

Prevent the use of popular passwords. If you prevent users from using the most popular 35,000 passwords, then it doesn’t matter that the user uses these passwords in his private life. It will never be used in your corporate systems. The complete backlist of passwords should include combinations of a company name, address and other types of shared company information. 

Prevent reuse of passwords. If a password has been disclosed, the receiver of the password might retry that password again and again. If the user can reuse the password at some time in the future, the criminal will be successful again. Preventing the use of previous passwords will prevent this. This is called password history prevention. 

Account lock-out


When a user uses a wrong password, what action should be taken by the system?

In most implementations we have seen, after 3 attempts it will not accept a new try for the next 30 minutes. Then it is possible to try again. After many attempts over a long period, the account will be locked.

A strong policy will lock the account down after 3–5 attempts. Then the only way to reopen the account is to get assistance. As this takes time from the service desk, it is problematic. This might be the reason why many organizations accept many false attempts.

If password self-service is available, however, then it is possible to combine strict rules with a few attempts and then lock out the user, as it is only the user who must spend time in re-opening the account. In this way, password self-service solutions help protect against brute force attacks.

The costs for strong passwords 


When we make passwords strong and complicated, users will forget more passwords!

Traditionally users have to call the service desk to get assistance. If the service desk then makes a thorough authentication, it takes time for the service desk and the user, which means lost productivity and cost. 

Giving users self-service of passwords for locked or forgotten passwords will however reduce the wasted time to almost nothing. A good self-service solution is secure and tested against external penetration and is not an entry for hackers. 

We advise that strong password policies are combined with end-user self-service of passwords.


FastPass can help you achieve extra security in combination with Active Directory.

Add extra complexity to the password 

Use history to prevent previous passwords being used 

Blacklist passwords

Self-service of passwords to reduce the cost of forgotten and locked passwords 

Password expiration notification to help users to remember to change passwords 

Steps to strong password policy

  • Use AD for password complexity 

  • Used AD to prevent the use of names and user-id in passwords 

  • Use FastPass to add complexity 

  • Use FastPass to blacklist popular passwords and specific words 

  • Use FastPass to prevent users’ reuse of passwords 

  • Use FastPass to notify users to change passwords 

  • Use FastPass for self-service to keep costs down 

Want more information about FastPass products, pricing or anything else?

We are here to help you!

GDPR password policy

The European GDPR doesn’t have any specific requirements for a password policy.  

IDC says: “In GDPR, security is established as a core principle in Article 5, where it states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing … using appropriate technical or organizational measures.” Article 4 includes the definition of a data breach to include “unauthorized … access to personal data.”  

Clearly, then, access control to prevent “unauthorized processing” and “unauthorized access” is critical to GDPR compliance. 

GDPR is, however, outcome-oriented and it is up to the organizations to organize it-security in a way which fulfills the GDPR objectives. 

It is obvious that organizations must do their best to protect any user’s account against breach by other persons, as this will constitute a data breach according to GDPR definition. 

We do expect that the authorities will demand that organizations follow a best practice to protect users’ credentials as passwords. 

Best practices must include implementation of strong passwords and being proactive in setting up defenses against well-known types of attacks. Best practices must also include a clear workflow for the manually assisted password reset as performed in the service desk when users call for password reset. 

Please see more from the IDC whitepaper on GDPR and the service desk.

North America T: + 818 697 2308

Europe T: + 45 4810 0410


FastPassCorp A/S,  USA

FastPassCorp A/S, Gladsaxevej 376,; 2860, Søborg, Gladsaxe, Denmark

© FastPassCorp A/S. All Rights Reserved.

Logo of fastpasscorp, the self-service password management provider