Context and why it matters
Most breaches still begin with stolen or weak credentials. Public reports show significant volumes of leaked passwords and reused credentials across the web, which attackers weaponise at scale. In 2024 to 2025, analyses reported many billions of exposed credentials, highlighting the reality that reuse and short, predictable passwords remain common. This drives credential stuffing and account takeover against European and Baltic firms as much as anyone else.
For leadership teams in Estonia and across the EU, the challenge is practical. You need a policy that staff can follow without friction, and controls that stand up to modern attacks. The goal is not complexity for its own sake. It is to cut the risk of compromise while keeping people productive.
What it is and what it is not
A password policy is a set of rules on how your organisation creates, stores, and updates passwords. It covers length, composition, rotation, reuse, screening against known-breached passwords, and the use of multi factor authentication (MFA).
Good policy is business driven. It balances security and usability, aligns with recognised guidance, and is supported by automation. Poor policy is a list of arbitrary rules that staff bypass.
Modern guidance from trusted authorities focuses on longer, memorable passphrases, screening against breached passwords, and enabling MFA. The UK’s National Cyber Security Centre (NCSC) promotes the three random words approach because it is easier to remember and long enough to resist guessing. NIST 800-63B recommends avoiding composition rules that force obscure character mixes and advises against routine resets unless there is evidence of compromise. Microsoft also moved away from mandatory periodic password expiry in its baseline.
Typical weak points or failure modes
- Short or reused passwords across many systems
- Routine forced resets that push staff to incremental, predictable changes
- SMS-only 2FA on high-value targets
- Lack of screening against known-breached credentials
- No password manager, so people rely on memory or spreadsheets
- Inconsistent policy across cloud apps, legacy systems, and third parties
A quick comparison to guide decisions:
| Area | Poor practice | Better practice |
|---|---|---|
| Length | 8–10 characters | 12+ characters, ideally passphrases with several random words |
| Reuse | Same password across services | Unique per service, enforced via password manager |
| 2FA | SMS only | App-based TOTP or push, hardware keys for admins and critical roles |
| Screening | None | Block known-breached passwords and monitor for leaks |
| Storage | Browsers and notes | Managed vault with central policy and audit |
Guidance on length and passphrases reflects NCSC’s three random words and NIST’s usability and strength recommendations. Rotation guidance aligns to Microsoft and NIST positions.
Practical playbook
Step-by-step actions
Start with the highest impact, lowest friction items.
Set a clear baseline. Require at least 12 characters and promote passphrases made of several random words. Provide simple examples and ban common substitutions that make passwords predictable. Align help text in all login portals. Follow NCSC and NIST guidance for memorised secrets.
Enable MFA wherever possible. Prefer authenticator apps generating one-time codes or push approvals. Keep SMS as a fallback only. For administrator accounts and critical systems, consider hardware security keys. NIST describes MFA as combining two or more factors such as something you know, something you have, and something you are.
Deploy a password manager to all staff. This removes password reuse, makes long unique passwords the default, and allows quick resets after an incident. KeePass is a well known free, open source option for individuals and micro teams, using an encrypted database unlocked by a master password.
For mid market needs, adopt an enterprise vault. Prioritise central policy enforcement, audit, reporting, SSO and SCIM provisioning, and integration with your identity stack. Keeper Enterprise is one example that offers admin controls, reporting and SSO or AD integration. Cybertex Security can help you select, implement, and tune the best fit for your stack.
Screen against breached passwords. Block known-compromised passwords at creation and monitor your domains for leaked credentials. The volume of exposed passwords reported publicly shows why continuous screening matters.
Tidy up rotation. Stop blanket 60 or 90 day resets. Instead, reset on compromise signals: breach notifications, leak detection hits, suspicious logins, or employee offboarding. This aligns with Microsoft and NIST guidance and reduces helpdesk load.
Train, then test. Short, scenario-based awareness sessions beat long lectures. Show staff how to use the manager and 2FA apps. Follow up with simple tests and offer coaching, not blame.
Cover third parties. Extend policy to contractors and suppliers who access your systems. Require MFA and vault usage, and include this in contracts.
Tooling and process integration
Think in layers that support the policy rather than a single product list.
Identity and access: central directory, SSO, and conditional access. Link the password manager to SSO and use SCIM for lifecycle automation.
Credential hygiene: enterprise password manager with policy templates, audit, and breach monitoring.
MFA and strong authenticators: authenticator apps and hardware keys for privileged access.
Monitoring and response: alert on impossible travel, repeated failed logins, and domain findings of leaked credentials. Trigger targeted resets and force re authentication when needed.
Awareness and support: ongoing micro training, internal guidance pages, and a quick route to support when people lose a device or forget a master passphrase.
Measurement and governance
Metrics and thresholds
Set realistic, measurable targets that improve behaviour and reduce risk.
Password health score: aim for 95 percent of staff with zero reused passwords in their vaults.
MFA coverage: 95 percent of active users with MFA enabled, 100 percent for admins and finance.
Breach exposure: mean time to reset credentials after a leak detection below 24 hours.
Incident rate: reduce credential-related incidents quarter by quarter, with board visibility.
Training completion and adoption: 100 percent completion of a 20 minute practical session, and vault adoption above 90 percent of users.
These metrics connect directly to controls suggested by NIST and NCSC and reflect the ongoing reality of widespread leaked credentials.
Roles and accountability
Boards approve policy, set risk appetite, and review metrics quarterly.
The CISO or security lead owns the policy and measurement, supported by IT operations for rollout and enforcement.
Team managers ensure staff complete training and follow the process.
Vendors and partners agree to password and MFA requirements in contracts.
HR and legal integrate policy into onboarding and offboarding so accounts are created with MFA and deprovisioned cleanly.
Regional and regulatory considerations
In Estonia and across the EU, your policy sits under general security and privacy obligations. Strong authentication supports compliance duties and reduces breach likelihood. Consider local identity ecosystems for secure login, but keep the same core principles: long unique passphrases, MFA by default, screened against known-breached passwords, monitored and measured.
How Cybertex Security can help
Selecting an enterprise password manager or rolling out 2FA is not just a tool choice. It is process, integration, and behaviour change.
Cybertex Security helps you shortlist and implement the right platform, for example evaluating features in solutions like Keeper Enterprise, integrating SSO and SCIM, and setting audit and reporting that satisfy management and auditors.
Ready to reduce risk and simplify your stack? Explore Security Technology Selection and Implementation or contact us.
