How to Create a Password Policy for Your Small Business

Jeremy Phillips·February 4, 2026·6 min read·beginner

A strong password policy protects your business accounts from unauthorized access. The most effective modern approach prioritizes longer passphrases and multi-factor authentication over complex character requirements that lead to sticky notes on monitors.

Why Your Small Business Needs a Written Password Policy

Most data breaches start with compromised credentials. Without a clear, documented policy, employees tend to default to short, reused passwords across multiple services. That single habit creates a cascading risk: one breached service exposes the same password everywhere it was used.

Beyond the practical security benefits, many compliance frameworks and cyber insurance policies require a documented password policy. If your business handles healthcare data (HIPAA), processes credit cards (PCI DSS), or carries cyber insurance, you likely need a written policy on file. Even if none of those apply today, having a clear policy saves you from scrambling to create one when an insurer or client asks for it.

A good password policy does not need to be long. One to two pages that cover the basics is far more effective than a 20-page document nobody reads.

Modern Password Guidelines (NIST Recommendations)

The National Institute of Standards and Technology (NIST) updated its password guidance in recent years, and the changes may surprise you. The old rules about requiring uppercase letters, numbers, and special characters are no longer recommended. Those complexity rules lead to predictable patterns like "Password1!" that technically satisfy the requirement but are trivially easy to guess.

Here is what NIST recommends instead:

  • Minimum 12 characters, with 16 or more as the ideal. Length is the most important factor in password strength.
  • Encourage passphrases over complex strings. A passphrase like "correct-horse-battery-staple" is both stronger and easier to remember than "P@ssw0rd!" because length matters more than character variety.
  • Do not require regular password rotation. Forced rotation every 60 or 90 days leads to weaker passwords because people just increment a number at the end. Only require a change when a breach is suspected.
  • Screen new passwords against known breached lists. Services like Have I Been Pwned maintain databases of passwords exposed in data breaches. Your password manager or identity provider can check new passwords against these lists automatically.

Require a Password Manager

A password manager is non-negotiable for any business that wants its password policy to actually work. Without one, employees will reuse passwords because nobody can memorize 50 unique, 16-character passwords.

A password manager generates strong, unique passwords for every account and stores them in an encrypted vault. Employees only need to memorize one master password to unlock the vault.

Athencia recommends 1Password for small businesses, and includes it in the Athencia One Complete managed IT plan. 1Password combines strong security with a user-friendly interface that makes adoption easier for non-technical teams. It also supports shared vaults, which let teams securely share credentials for shared accounts without sending passwords over email or chat.

Other solid options in the SMB space include Bitwarden (affordable and open-source) and Keeper (compliance-focused with detailed audit logging).

When rolling out a password manager to your team, start by migrating your most critical accounts first: email, banking, and payroll. Then set a deadline for employees to move all business accounts into the manager. The master password is the one password employees must memorize, so make sure it is a strong passphrase that is not used anywhere else.

Require Multi-Factor Authentication (MFA)

MFA is the single most effective account protection after a strong password. It requires a second form of verification, typically a code from an authenticator app, in addition to the password. Even if an attacker steals a password, they cannot access the account without the second factor.

Where to enforce MFA:

  • Microsoft 365 and email (this is the most critical one)
  • VPN and remote access connections
  • Banking and payroll systems
  • Any cloud application that stores sensitive business data

Authenticator apps like Microsoft Authenticator or Authy are preferred over SMS text message codes. SMS-based MFA is better than nothing, but it is vulnerable to SIM swapping attacks where an attacker convinces your phone carrier to transfer your number to their device. Authenticator apps do not have this vulnerability.

If your business uses Microsoft 365 Business Premium, you can enforce MFA across your entire organization using Conditional Access policies in Entra ID. Conditional Access lets you create rules like "require MFA for all sign-ins from outside the office network" or "require MFA for any sign-in to admin portals." This is far more effective than relying on individual employees to enable MFA themselves.

What Your Written Policy Should Include

Keep the document short and specific. Here is what it should cover:

  • Minimum password length: 12 characters minimum, 16 or more recommended.
  • Password manager requirement: All business accounts must use the company password manager. No exceptions.
  • No password reuse: Every account gets a unique password, enforced through the password manager.
  • MFA requirement: MFA must be enabled on all critical systems. List the specific systems.
  • Compromise reporting procedure: If an employee suspects a password has been compromised, they must report it to IT immediately, change the password, and not attempt to investigate on their own.
  • No password sharing: Employees should never share passwords via email, chat, or text. If a shared account is necessary, use the shared vault in your password manager.

How to Enforce the Policy

A policy that is not enforced is just a suggestion. Here are concrete ways to make it stick:

Use technical controls where possible. In Microsoft 365, you can set password length minimums through Entra ID. Enable Conditional Access policies to require MFA, so it is not optional. Block legacy authentication protocols (IMAP, POP3) that do not support MFA.

Audit password manager adoption quarterly. Check that all employees are actively using the password manager. 1Password's admin dashboard shows you which team members have logged in recently and how many accounts they have stored. If someone has only two items in their vault, they are not using it for all their business accounts.

Include the password policy in onboarding. New employees should set up their password manager account and enroll in MFA on their first day. Make it part of the onboarding checklist, not something they get around to later.

Lead by example. If the owner or leadership team does not follow the policy, nobody else will either. Owners and managers should follow the same rules, no exceptions.

Need Help?

Building a password policy is straightforward, but rolling it out and enforcing it across your team takes work. If you want help creating your policy or deploying a password manager and MFA to your organization, reach out to Athencia. We do this for small businesses every day.

Related Articles

How to Recognize a Phishing Email: A Guide for Small Business Employees

Learn the warning signs of phishing emails and how to protect your small business from email-based attacks with practical tips your whole team can follow.

6 min read

How to Secure Remote and Hybrid Employees for a Small Business

Practical security guide for small businesses with remote or hybrid employees, covering VPN, device management, home network risks, and access controls.

6 min read

How to Secure Your Business Email Against Spoofing with SPF, DKIM, and DMARC

Plain-language guide to setting up SPF, DKIM, and DMARC records to prevent attackers from spoofing your business email domain.

8 min read

Need Hands-On Help?

Our team can handle this for you. No pressure, just a conversation.

Contact Athencia