How Often Should You Update Your Password Policy? (Hint: Now’s a Good Time)
When was the last time you took a moment to update your password policy? If you’re struggling to remember, you’re not alone — most businesses either forget about it entirely or rely on outdated rules that don’t reflect today’s security threats
In reality, it’s good practice to update your password policy at least once a year, or whenever there are changes in how your team works or how your systems are set up. If you’ve recently moved to cloud services, hired new staff, or introduced remote access, now’s the ideal time for a refresh.
Many older policies focus too much on making staff change passwords regularly, which often leads to weaker passwords or sticky notes stuck to monitors. These days, it’s far more effective to encourage strong, unique passwords (or passphrases), combined with multi-factor authentication (MFA).
Here’s what a modern password policy should include:
- A minimum length (12 characters or more)
- A ban on common or previously breached passwords
- The use of MFA, especially for email and admin systems
- Guidance on using a secure password manager
Your policy should be simple, sensible, and easy for staff to follow. It’s not just about compliance — it’s about making your business harder to attack.
At 39D, we help businesses set practical, secure policies that staff actually follow. Whether you need help writing one from scratch, updating an old one, or rolling out MFA, we’re here to help.
Need a hand reviewing your current policy? Contact us today for straightforward advice and support.
For extra reading, the National Cyber Security Centre offers clear, up-to-date guidance on password policies tailored to UK organisations.
