Is this policy good enough for compliance?

It's a strong starting point aligned with NIST SP 800-63B guidance. Regulated industries (HIPAA, FTC Safeguards, IRS WISP) should have the final policy reviewed by Wolf Tech or qualified counsel.

Should I rotate passwords every 90 days?

NIST no longer recommends arbitrary rotation. Rotate on suspicion of compromise. The generator defaults follow current guidance — adjust if your insurer or auditor still requires periodic rotation.

How do I distribute the policy?

Print it, sign it, store a copy in your WISP binder, and require employees to acknowledge it on hire and annually.

POLICY GENERATOR

Build a printable password policy.

Aligned with NIST SP 800-63B guidance. Generate, download, and print a policy you can adopt today.

Company nameBusiness sizeCompliance contextMinimum password lengthLockout after failed attemptsRotation interval (days, 0 = none)Require Multi-Factor Authentication (MFA)

PASSWORD POLICY

Organization: Your Company Name
Business Size: 11–50 employees
Compliance Context: None / general
Effective Date: 6/28/2026

1. PURPOSE
This policy establishes minimum standards for the creation, use, and protection of passwords used to access Your Company Name systems and data.

2. SCOPE
This policy applies to all employees, contractors, vendors, and third parties with access to Your Company Name information systems.

3. PASSWORD CONSTRUCTION
- Minimum length: 14 characters
- Must include a mix of upper- and lowercase letters, numbers, and at least one symbol
- Must not contain the user's name, username, or company name
- Must not match any password previously used on the account
- Passphrases (4+ unrelated words) are encouraged

4. MULTI-FACTOR AUTHENTICATION
Multi-factor authentication (MFA) is REQUIRED on all email accounts, remote access, VPN, cloud services, and any administrative account. Phishing-resistant MFA (FIDO2 / hardware key) is required for privileged accounts.

5. PASSWORD ROTATION
Routine periodic rotation is NOT required (aligned with NIST SP 800-63B). Passwords must be changed immediately upon suspicion of compromise, after an employee separation, or when shared inadvertently.

6. ACCOUNT LOCKOUT
After 5 consecutive failed login attempts, the account will be locked. Locked accounts may only be unlocked by IT after identity verification.

7. PASSWORD STORAGE
- Passwords must never be written down in plain text in unsecured locations.
- An approved password manager is required for storing credentials.
- Passwords must never be shared by email, SMS, or chat.

8. INCIDENT REPORTING
Any suspected password compromise must be reported to IT or the security coordinator within 1 business hour.

9. ENFORCEMENT
Violations of this policy may result in disciplinary action up to and including termination.

10. REVIEW
This policy is reviewed annually by the designated security coordinator.

— Generated by Wolf Tech IT Solutions Password Policy Generator
https://wolftechitsolutions.com/tools/password-policy-generator

RELATED RESOURCES

Security Awareness Training

Train employees on the policy.

Cybersecurity Services

Operationalize and monitor.

WISP Readiness Assessment

Make sure your WISP is current.

TALK TO US

Want help interpreting your results? We'll review them with you.

Talk to Us About Security

Get Protected

Build a printable password policy.

Frequently Asked Questions