Category Personnel/Employment
Title Passwords
Preview Passwords

By David A. Zetoony   

Many consumers, and many employees, have dozens of passwords for access to different systems, services, networks, devices, and terminals.  From a corporate perspective, many companies have at least two policies that impact passwords - a password selection or management policy, and a security policy that may include how passwords maintained by the company are secured.

A password selection or management policy discusses an organization's standards for password assignment, and password strength (i.e., how complex the password that a user selects must be in order to avoid the password from being stolen or guessed).  For organizations that maintain lists of passwords, several states have enacted legislation that require the organization to "implement and maintain reasonable security measure to protect" the username and passwords that are in their possession.  As a result, whether the organization maintains a system that allows third party users to create password controlled accounts is often a factor that is considered when conducting a data security assessment.  One of the primary concerns is that even if the service or database for which the username and password are used may not be sensitive, or house other categories of sensitive information, people often re-use their usernames and passwords for multiple services or systems.  As a result, if a bad actor is able to obtain a username and password for an individual that relates to a non-sensitive system maintained by one organization, the bad actor may be able to leverage those credentials to try to access a sensitive system held by a different organization.


Number of states that arguably require that an organization protect username and passwords within its possession.1


Number of people that use one of the top 25 "worst" passwords (i.e., most easily guessed by hackers)."2


Number of people that one study found still use the password "123456."3


Percentage of hacking-related data breaches that 
leveraged a weak or stolen passwords.4

What to think about when designing or reviewing, a password selection or use policy:

  1. The more characters required for a password, generally the more difficult it is for an attacker to guess.  Consider whether it is practical to require a long password (e.g., twelve or more characters).
  2. If only alphabetic characters are allowed there are 26 different combinations that an attacker needs to consider for each character of the password.  Allowing (or requiring) a larger character set increases the number of possible combinations.  As a result consider making passwords case sensitive (i.e., increasing the range of possibilities by an additional 26 characters), and utilize numbers (increasing the range of possibilities by an additional 10 characters) or symbols (further increasing the range of possibilities for each character).
  3. Avoid reusing the same password over and over again for different websites or databases.  Requiring a unique password configuration from users / employees may help prevent the reuse of passwords permitted by other websites.
  4. Two-factor authentication refers to the practice of requiring two separate forms of identification when logging into a system.  While one of those forms may be a password, the second form would ideally be unrelated to a knowledge-item of the user.  For example, a one-time generated token sent to the users mobile device could serve as the second factor.  Consider whether using a two-factor authentication system is practical.

If you lose an individual's username and password, it may trigger, in some jurisdictions, a requirement that you notify the individual and/or a state regulator.

  1. Bryan Cave Survey of State Safeguard Statutes (2015).
  2. Http:// (last viewed June 2017).  
  3. Http:// (last viewed June 2017).
  4. Verizon, 2017 Data Breach Investigations Report at 3 (10th Ed.).

Reprinted with permission from Bryan Cave Leighton Paisner Data Matters, November 5, 2018

Mr. Zetoony is an internationally recognized data privacy and security attorney that has been called a "Cybersecurity & Data Privacy Trailblazer," and the top "Legal Influencer," by legal sources such as the National Law Journal, Lexology, and JD Supra.   With over 1,400 lawyers in 32 offices across North America, Europe, the Middle East and Asia, Bryan Cave Leighton Paisner LLP is a fully integrated global law firm that provides clients with connected legal advice, wherever and whenever they need it. The firm is known for its relationship-driven, collaborative culture, diverse legal experience and industry-shaping innovation and offers clients one of the most active M&A, real estate, financial services, litigation and corporate risk practices in the world.   

LLU 29.2

Notice: This article is designed to provide accurate and authoritative information in regard to the subject matter covered. It has been provided to member schools with the understanding that ACSI is not engaged in rendering legal, accounting, tax, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Laws vary by jurisdiction, and the specific application of laws to particular facts requires the advice of an attorney.  

Association of Christian Schools International
731 Chapel Hills Drive
Colorado Springs, CO 80920
Phone: 719.528.6906

Download Passwords