Password Policy Best Practices

Cristian Cornea
3 min readOct 15, 2021
(Photo by Sajad Nori on Unsplash)

In this article, we will discuss some “uncommon” password policy best practices, that are not followed by a lot of companies. Those are collected from the Penetration Testing assessments I have conducted over the years.

Company-related Passwords

Let’s take the following scenario:

  1. We have a company named “Hooli”
  2. We enforced a default password for all the new users to use for their first login in all of our systems (after they are hired)
  3. This password is: “Hooli@123” (following the most common password policy — minimum 8 characters, one symbol, one digit, and one uppercase)
  4. After the users login using this password, what are the chances of them choosing a similar password such as “Hooli@1234”? ( some of them are just lazy, right?).
  5. Answer: very high chances, as seen from my experience.

To prevent against this scenario you must do the following:

  • If you really want to set default passwords for newly onboarded accounts, use a random generator to create them
  • Through the password policy, deny any passwords that contains the names of the company’s brands, and other derivates. For the above scenario a list of such names would be:
Hooli
H00li
H00l1
Hool!
H00li
H@@li
and so on

Common Passwords

If you have no password policy in place then you are vulnerable.

If you have the most common password policy in place then you are less vulnerable, but it is still an issue.

Which is the “most common password policy”?

  • Minimum 8 characters
  • Minimum one uppercase character
  • Minimum one digit
  • Minimum one symbol

That’s good, but let me enumerate you some more common passwords than your password policy, that are accepted by it.🤠

P@ssw0rd
Password123!
Password@2021
100%Sexy
Angel!123
1qaz!QAZ
Flying12!
Frodo123!
Sophie1!
Princess1!
1Weather!
Pirate6!
P@ssword4
Ch0c0l@t3
P@ssword1
P@55word
Mia@home1
7thHe@ven
Foo123!@
R@men1ban
P@ssw0rd0
TOmmy@@2
Bluesky#23
N0v#m3#r
Cristian Cornea

🇷🇴 Founder @ Zerotak Security & Cyber Security Training Centre of Excellence (CSTCE)