COMPLIANCEJuly 17, 2025·11 min read

Enterprise Password Policy Template: Copy-Paste and Customise

A production-ready password policy template covering NIST 800-63B, PCI-DSS v4.0, and ISO 27001 requirements. Download and adapt for your organisation.

Why your organisation needs a written password policy

A written password policy is a requirement for SOC 2, ISO 27001, HIPAA, and most enterprise security frameworks. Beyond compliance, it provides a consistent reference that removes subjective interpretation from access control decisions. When an employee asks "does this password meet requirements?" the answer is in the document, not in someone's opinion.

Most organisations don't have one. Use PassGeni's Policy Generator for a ready-made version. Below is a framework you can customise.

Core policy template

Section 1: Scope
This policy applies to all employees, contractors, and third parties with access to [Organisation] information systems. All accounts — user, administrator, service, and API — are covered.

Section 2: Password requirements

  • Minimum length: 12 characters for standard accounts; 15 characters for privileged accounts
  • Character requirements: at least one uppercase, one lowercase, one number, one symbol
  • Passphrases (4+ random words) are explicitly permitted as an alternative to complex passwords
  • Passwords must not appear in the Have I Been Pwned breach database
  • Passwords must not contain the user's name, username, or organisation name
  • The same password may not be used for multiple systems

Section 3: Password management

  • All employees must use an approved password manager for work credentials
  • Approved password managers: [Bitwarden / 1Password / other]
  • Passwords must not be shared via email, Slack, SMS, or any unencrypted channel
  • Temporary password sharing (where required) must use encrypted one-time links

Section 4: Multi-factor authentication

  • MFA is required for all cloud services, email, VPN, and systems containing personal data
  • TOTP authenticator apps are the minimum; hardware keys are required for privileged access
  • SMS 2FA is not acceptable except where no alternative is available

Section 5: Password rotation

  • Passwords are not required to be changed on a fixed schedule unless there is evidence of compromise
  • Immediate rotation is required upon any known or suspected compromise
  • Service account passwords are rotated quarterly

Section 6: Incident response

  • Any suspected credential compromise must be reported to the security team within 24 hours
  • Compromised accounts will be locked and credentials reset before reactivation

Tailor section 2 minimums to your specific compliance framework. For HIPAA, 12-character minimum. For SOC 2 Type II, 16-character minimum is defensible. For PCI-DSS v4.0, 12-character minimum with MFA for all CDE access.

Key topics
enterprise password policyNIST 800-63BPCI-DSSISO 27001policy template
Was this post useful?
Frequently asked questions

Questions about this topic

What should an enterprise password policy include?

+

How often should enterprise passwords be rotated?

+

Which compliance framework should my policy align to?

+
More posts

Related reading

NIST Password Guidelines 2025: What Changed and What It Means for You

9 min read →

PCI-DSS v4.0 Raised the Password Bar. Here's What You Missed.

8 min read →

Password Security in Education: K-12 and Higher Ed Guide

7 min read →