Password Policies and Compliance Requirements
Password Policies and Compliance Requirements

Photo by Pixabay on Pexels
Password policies and access control requirements aren't just good security practice—they're increasingly mandated by compliance frameworks, cyber insurance policies, and industry regulations. This lesson covers how to create policies that work in practice and what compliance standards require for access control.
Password Policies That Actually Work
Traditional password policies (require 8 characters, uppercase, lowercase, number, symbol, change every 90 days) have been proven ineffective. NIST SP 800-63B (the current federal standard) reversed many of these recommendations. Here's what modern password policies should include:
- Minimum length: 12-16 characters. Length is more important than complexity. Consider passphrases (4+ random words).
- No forced periodic resets. NIST found that forced resets lead to predictable patterns (Summer2024!, Fall2024!). Only require resets when a compromise is suspected.
- Screen against common passwords. Block the top 10,000 most common passwords (available from haveibeenpwned.com's Pwned Passwords API). Prevent passwords like "password," "123456," company name, etc.
- Allow all characters. Don't restrict which characters can be used. Allow spaces, emojis, and Unicode.
- Require unique passwords. Use a password manager to ensure passwords aren't reused across accounts.
- Rate-limit login attempts. Lock accounts or add delays after 5 failed attempts to prevent brute force.
Implementing Password Policies in Common Platforms
Microsoft 365: In the admin center, go to Settings > Security & Privacy > Password. Set minimum length to 12, disable expiration (set to never), enable Azure AD Password Protection to block common passwords.
Google Workspace: In admin.google.com, go to Security > Authentication > Password management. Set minimum length, enable strong password enforcement.
Windows Active Directory: Use Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Set minimum length to 12, disable "Maximum password age" (set to 0 for no expiration).
Compliance Requirements for Access Control
Several compliance frameworks mandate specific access control measures. Even if you're not formally certified, following these standards improves security and may be required by your cyber insurance:
HIPAA (Healthcare): Requires unique user IDs, automatic logoff, encryption of access credentials, and audit controls that record access to ePHI. Role-based access is expected. Access must be reviewed periodically.
PCI DSS (Payment Cards): Requirement 8: Assign a unique ID to each person with computer access. Requires MFA for all remote access to the network and for all non-console administrative access. Passwords must be at least 12 characters and changed at least every 90 days (PCI still requires periodic changes). Account lockout after 6 failed attempts.
SOC 2 (Service Organizations): Requires logical access controls, unique user authentication, MFA where appropriate, and documented access reviews. Access must be reviewed at least quarterly and revoked promptly upon termination.
GDPR/CCPA (Data Privacy): Requires appropriate technical measures to protect personal data, including access controls and authentication. Data access must be limited to authorized individuals on a need-to-know basis.
Cyber Insurance Requirements: Most modern cyber insurance policies require MFA on all remote access, email accounts, and privileged accounts. They also require password management policies and regular access reviews. Failure to meet these requirements can void your coverage.
Documenting Your Policies
Write a simple, clear access control policy that covers:
- Password requirements (length, uniqueness, password manager mandate)
- MFA requirements (which accounts, which methods)
- Access provisioning and deprovisioning process
- Access review frequency (at least quarterly)
- Local admin rights policy (who, if anyone, has them)
- Shared account management
Store the policy in a shared location accessible to all employees. Review and update annually.
Key Takeaways
- Modern password policies favor length over complexity and don't require periodic resets (except PCI DSS)
- NIST SP 800-63B is the current gold standard—follow it unless a specific compliance framework requires more
- MFA is mandated by virtually all compliance frameworks and cyber insurance policies
- Document your access control policy and review it annually
- Conduct quarterly access reviews to catch access creep and orphaned accounts
Auditing Access and Detecting Anomalous Behavior
Access auditing is the process of reviewing who accessed what, when, and from where. Comprehensive audit logs are essential for security incident investigation, compliance requirements, and identifying suspicious behavior. Every system should log: authentication events (successful and failed logins), authorization decisions (access granted or denied), privilege escalations, password changes, and configuration modifications. Centralize these logs using free tools like Graylog or ELK Stack (Elasticsearch, Logstash, Kibana) for real-time analysis, or use simpler approaches like forwarding all logs to a dedicated syslog server.
Anomalous behavior detection doesn't require expensive AI tools — simple rules can catch most attacks. Set up alerts for: login attempts outside business hours (potential unauthorized access), multiple failed logins followed by a success (potential brute force), login from unusual geographic locations (possible account compromise), simultaneous logins from different locations (credential sharing or attack), and access to systems outside the user's normal pattern. Free SIEM (Security Information and Event Management) tools like Wazuh and OSSIM provide these detection capabilities with pre-built rules and alerting.
Conduct quarterly access audits to verify that access rights remain appropriate. Generate reports showing: all active user accounts, their last login date, their assigned roles, and any access changes since the last audit. Review each report with department managers — they know which employees changed roles, left the company, or no longer need certain access. Remove or modify access for: accounts inactive for 90+ days, accounts of employees who changed departments, and accounts with access that exceeds their current role. Document the audit findings and remediation actions for compliance purposes. This quarterly cadence catches most access control issues before they become security incidents.
Common Questions
Q: How long should I keep access logs?
Most compliance frameworks require 90 days to 1 year of log retention. PCI-DSS requires 1 year (3 months online, 9 months offline). GDPR doesn't specify retention periods but requires appropriate safeguards. HIPAA requires 6 years for audit logs. A practical approach: keep detailed logs for 90 days online for quick analysis, archive for 1 year for compliance, and summarize key events for 3+ years for trend analysis. Use automated log rotation to manage storage costs.
Password Policies and Compliance Requirements
Password policies and access control requirements aren't just good security practice—they're increasingly mandated by compliance frameworks,
There are no comments for now.