Weak or reused passwords and excessive access privileges remain among the leading causes of security breaches. This policy template aligns with NIST SP 800-63B (2024 revision), NCSC Password Guidance, and ISO 27001 access management controls — moving away from complex rules that harm usability in favour of evidence-based best practice.
On this page
Password Standards (NIST SP 800-63B Aligned)
NIST 800-63B overturns old password myths
The 2024 NIST guidance removes forced periodic rotation (unless breach suspected), removes mandatory complexity rules, and instead focuses on minimum length, checking against breach databases, and mandating MFA.
PASSWORD POLICY Version: 1.0 | Aligned with: NIST SP 800-63B (2024), NCSC Password Guidance 1. MINIMUM REQUIREMENTS - Minimum length: 12 characters for standard accounts - Minimum length: 16 characters for privileged accounts (admin, root, service accounts) - Maximum length: At least 64 characters must be supported (allow passphrases) - No mandatory complexity rules (upper, special chars) but strongly encouraged 2. PASSWORD ROTATION - Routine periodic rotation is NOT required (NIST 800-63B recommendation) - Immediate rotation REQUIRED when: breach suspected, account shared, employee leaves, phishing clicked - Privileged accounts: rotate quarterly and on any team member change 3. PROHIBITED PASSWORDS - Passwords must not appear in known breached password databases (check via HaveIBeenPwned API) - Do not use: name + year (John2024), company name, keyboard walks (qwerty123) - Do not reuse the last 12 passwords 4. PASSWORD MANAGER - All staff must use an approved password manager (1Password / Bitwarden / Keeper) - Unique passwords required for every account (no reuse across services) - IT will provide licences; personal use permitted on company-approved tools 5. MULTI-FACTOR AUTHENTICATION (MFA) - MFA is MANDATORY for: all cloud console access, VPN, email, HR/payroll, financial systems - Preferred MFA: Authenticator app (TOTP) or hardware key (YubiKey) - Acceptable: Push notification (with number matching to prevent MFA fatigue) - NOT acceptable: SMS OTP for high-risk systems (SIM swap vulnerable)
MFA Requirements by System Type
| System / Access Type | MFA Required? | Acceptable MFA Methods | Note |
|---|---|---|---|
| Cloud Consoles (AWS, Azure, GCP) | Mandatory | TOTP / Hardware key | Root/Global Admin: only hardware key (YubiKey) |
| VPN Access | Mandatory | TOTP / Push with number matching | No SMS OTP |
| Corporate Email (M365/Google) | Mandatory | TOTP / Authenticator push | Enforce via Conditional Access / Entra ID |
| Financial Systems (accounting, payroll) | Mandatory | TOTP / Hardware key | PCI-DSS also requires MFA |
| HR & People Platforms | Mandatory | TOTP / Push | Contains sensitive PII |
| Internal Tools (Jira, Confluence) | Strongly Recommended | Any TOTP or SSO | Enforce via SSO where possible |
| Developer Access (GitHub, CI/CD) | Mandatory | TOTP / Hardware key / GitHub passkey | Code repositories are high-value targets |
| Customer-Facing Web Application | Recommended (offer to users) | TOTP / Passkey / Push | Implement per-user optional; mandatory for admins |
Cloud Consoles (AWS, Azure, GCP)
- MFA Required?
- Mandatory
- Acceptable MFA Methods
- TOTP / Hardware key
- Note
- Root/Global Admin: only hardware key (YubiKey)
VPN Access
- MFA Required?
- Mandatory
- Acceptable MFA Methods
- TOTP / Push with number matching
- Note
- No SMS OTP
Corporate Email (M365/Google)
- MFA Required?
- Mandatory
- Acceptable MFA Methods
- TOTP / Authenticator push
- Note
- Enforce via Conditional Access / Entra ID
Financial Systems (accounting, payroll)
- MFA Required?
- Mandatory
- Acceptable MFA Methods
- TOTP / Hardware key
- Note
- PCI-DSS also requires MFA
HR & People Platforms
- MFA Required?
- Mandatory
- Acceptable MFA Methods
- TOTP / Push
- Note
- Contains sensitive PII
Internal Tools (Jira, Confluence)
- MFA Required?
- Strongly Recommended
- Acceptable MFA Methods
- Any TOTP or SSO
- Note
- Enforce via SSO where possible
Developer Access (GitHub, CI/CD)
- MFA Required?
- Mandatory
- Acceptable MFA Methods
- TOTP / Hardware key / GitHub passkey
- Note
- Code repositories are high-value targets
Customer-Facing Web Application
- MFA Required?
- Recommended (offer to users)
- Acceptable MFA Methods
- TOTP / Passkey / Push
- Note
- Implement per-user optional; mandatory for admins
Joiners-Movers-Leavers (JML) Process
- 1
Joiners — New Starters
HR notifies IT 5 business days before start date. IT provisions: email, AD account, required systems only (least privilege). Access tied to role profile — no individual exceptions without manager + security approval. On day 1: issue device, enable MFA, review AUP, complete security awareness training.
- 2
Movers — Internal Role Changes
HR notifies IT of role change on effective date. IT review: add access for new role, REVOKE access from previous role (do not accumulate permissions). Access accumulation is a common compliance failure — audit regularly.
- 3
Leavers — Employees Departing
HR notifies IT minimum 48 hours before last working day (immediate for misconduct/dismissal). On departure: disable AD account, revoke O365 licence, disable VPN, remove from all SaaS tools, retrieve company devices. Archive mailbox 30 days, then delete. Review: were they a privileged user? Change any shared passwords they knew. Revoke all API keys and tokens under their name.
Quarterly Access Review Template
QUARTERLY ACCESS REVIEW — Q[X] [YEAR] Review Date: ____________ | Reviewed By: ____________ | Approved By: ____________ SYSTEM: _____________________ | Review Period: _____________ Username | Full Name | Department | Access Level | Last Login | Action Required ----------|-------------|------------|--------------|---------------|------------------ jsmith | Jane Smith | DevOps | Admin | 2026-01-15 | ✅ Confirmed mwatson | Mike Watson | Sales | Standard | 2026-01-20 | ✅ Confirmed (former) | Alex Jones | HR (left) | Standard | 2025-09-01 | ❌ REVOKE IMMEDIATELY contractor| TechCo Ltd | N/A | Read-only | 2025-10-01 | Review — contract may have ended SIGN-OFF System Owner: _________________ | Date: _________________ IT Manager: _________________ | Date: _________________