← All templates
Access · Policy template

Password & Authentication Policy

This template aligns with modern NIST-style guidance: length over complexity, MFA everywhere, and screening against breached passwords.

FreeGet the "Password & Authentication Policy" template

We'll email you a copy and occasional practical compliance guidance. No spam — unsubscribe anytime.

[Organisation] · Password & Authentication Policy
Version 1.0 · Owner: [Role] · Approved: [Date] · Classification: Internal

Purpose

To set minimum standards for authentication that reduce the risk of account compromise.

Scope

Applies to all accounts on [Organisation] systems and applications.

Policy statements

  • Passwords are a minimum of [12] characters; length is prioritised over forced complexity.
  • Passwords are screened against known-breached password lists where technically feasible.
  • Multi-factor authentication is mandatory for remote access, email, and all privileged and administrative accounts.
  • Passwords are never shared, reused across systems, or stored in plaintext.
  • Default and vendor-supplied credentials are changed before a system goes live.
  • Failed-login lockout and session-timeout controls are enforced.

Review

Reviewed annually against current authentication best practice.

Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.

Want this tailored and audit-ready?

Our CERT-In empanelled auditors can build your full policy set and align it to PCI DSS, ISO 27001, SOC 2 or DPDP.

Talk to our team →