Weak or recycled passwords remain a leading cause of data breaches, especially for SMBs lacking dedicated security resources. Learn the current best practices when crafting a password policy to help you guide users with practical and effective rules that can protect them without making things more difficult.
Core principles for SMB-friendly password policies
SMB password policies should be clear and concise. It’s recommended that you emphasize length and uniqueness over complexity and avoid routine password expiration. You should also block weak and previously compromised passwords. Administrators should also educate users on the rationale for the password policies while encouraging the use of multi-factor authentication and password managers.
Emphasize length and uniqueness over complexity
Creating a long password (at least 14 characters) can offer users stronger protection. Creating these long passwords is more recommended than coming up with complex passwords.
Long passwords are more secure because length increases the number of possible combinations exponentially, making them far harder to brute-force. A long passphrase is also easier to remember than a short, complex word, and it provides stronger resistance to dictionary attacks.
Avoid routine password expiry
Many organizations implement routine password expiration. This means that they require users to change their passwords after a set period of time. However, these policies are outdated and not as secure as they once were.
Frequently changing passwords can result in user frustration. This frustration can result in users coming up with less secure passwords with guessable patterns and other kinds of vulnerabilities. Instead of changing passwords regularly, it’s recommended to only change passwords when there is a suspicion of compromise or evidence of a security breach.
Block weak or previously compromised passwords
It’s prudent for organizations to take advantage of tools like Have I Been Pawned?, which lists compromised passwords. If a user password appears in that list, that user should no longer use that password anymore. And if you’re using a tool or software that experienced a security breach, it’s recommended to have all users change their passwords.
Encourage MFA and use of password managers
Multi-factor authentication (MFA) adds another layer of protection for users. After they input their users, these users will then be prompted to verify their identity, whether through a code they have, a message they receive, or through an application on their phone. Because of this, even if the user’s password may be weak or compromised, bad actors still won’t be able to access their accounts.
Password managers are another helpful tool in cybersecurity. One of the biggest security risks for account protection is the fact that users may have trouble remembering their passwords, so may engage in unsafe practices such as writing their password down, reusing passwords, or using guessable patterns.
Password managers can help solve this problem. Instead of having to remember a long and unique password for all their accounts, they only have to remember one password for their password manager. The password manager itself will be responsible for generating strong passwords for the user and storing them.
Educate users rather than penalize
One of the most important things an organization can do to keep user accounts secure is to educate them. It’s important that they not only follow security policies, but also understand why they exist. Teach these users why passphrases work, tips on how to avoid reusing passwords, and the value of secure password storage.
It’s also essential to ensure that the implementation is not punitive. Having a strong understanding of these security policies will encourage users to better follow these best practices.
Implementing policies via GPO or cloud settings
In Active Directory or GPO
📌 Prerequisite: You must be using Active Directory to manage your endpoints.
💡 Note: Group Policy Management Console (GPMC) is installed by default on domain controllers (DC), and you need to open it from a DC. But it can also be installed on other domain-joined Windows machines through the RSAT tools.
- Press Win+R.
- Type gpmc.msc and press Enter. This will open the Group Policy Management Console.
- Navigate to this address: Forest > Domains > <yourdomain.com> > Default Domain Policy.
Replace yourdomain.com with the domain you want to manage. - Right-click Default Domain Policy > Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
- Double-click the following settings to modify and manage them:
- Minimum password length – Set to 12-14 characters or longer
- Password must meet complexity requirements – Disable
- Enforce password history – Controls how many unique passwords a user must use before reusing a previous password; modify according to your organization’s security policy
In Microsoft 365 or cloud platforms
📌 Prerequisite: You must be using Microsoft 365 for your organization.
Microsoft 365 supports passwords up to 256 characters, well past the recommended 12-14 characters or greater. This is a native feature, and administrators do not need to modify it.
To configure banned password lists, follow these steps:
- Go to the Entra admin center.
- Navigate to Protection > Authentication methods > Password protection.
- Configure your custom banned password list. You can add easy-to-guess passwords, such as your company name, birthdays, seasons, and years.
- Change the mode to Enforce so that Entra will actively block weak or forbidden passwords.
To disable forced password expiration, follow these steps:
- Go to the Entra admin center.
- Navigate to Settings > Org settings > Security & privacy.
- Locate Password expiration policy.
- Change the setting to Never expire.
Best practices summary table
| Principle | Why it works |
| Passphrase length > complexity | Long passwords are easier to remember and harder to crack than complex passwords. |
| No automatic expiry | It avoids user frustration and predictable rotations. |
| Block reused/compromised passwords | It prevents common attack vectors that bad actors usually take. |
| Use MFA + password manager | These tools enhance usability while also boosting security. |
| Train users | This will ensure that the policy is fully understood and not just enforced. |
Optional automation touchpoint
You can automate enforcing your password policy using Windows PowerShell by following these steps:
📌 Prerequisite: You must be using Active Directory to manage your endpoints.
- Open Windows PowerShell as a domain administrator.
- Run the following command:
Import-Module ActiveDirectory
Get-ADDefaultDomainPasswordPolicy | Select MinPasswordLength, PasswordHistoryCount
This will retrieve the minimum password length and the password history requirement from the default domain password policy in Active Directory for users.
- To change the minimum password length, type this command and press Enter:
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MinPasswordLength 12
Change “yourdomain.com” to the correct domain, and change the number after MinPasswordLength to the length outlined in your security policy.
NinjaOne platform integration ideas for optimizing your organization’s password policies
Here are a few ways organizations can integrate NinjaOne RMM tools into their password policies:
- Use NinjaOne remote scripting tools to remotely audit user password policy status and compliance.
- Use NinjaOne Docs for documentation to explain why certain password controls are enforced.
Encourage secure passwords by enforcing strong password policies
Password policies aren’t just arbitrary rules—their main goal is effective and usable security. Make sure to add layers of protection using MFA and password managers.
This will boost security while also minimizing user resistance. Administrators will also spend less time supporting users if they end up forgetting their password or using a weak passphrase. Encouraging these practices now will help your business as it grows, and balances risk reduction with operational usability.
Related links:
