Operations

Password policy that IT and users can both live with

September 17, 2025

Password Policy That IT and Users Can Both Live With

As IT and DevOps professionals, we understand the importance of strong password policies. However, balancing security with usability can be a challenge. In this post, we'll explore practical password policy considerations that can be implemented with a self-hosted platform like Bastionary.

Minimum Length vs Complexity

Many organizations enforce both minimum length and complexity requirements for passwords. While this can increase security, it can also lead to user frustration and poor password hygiene.

  • Minimum Length: Enforcing a minimum length (e.g., 8 characters) can help prevent weak passwords.
  • Complexity: Complexity requirements (e.g., at least one uppercase, one lowercase, one number, and one special character) can further strengthen passwords.
  • Balance: It's important to strike a balance between security and usability. Overly complex requirements can lead to users creating simple passwords to bypass them.

Tip: Consider using a self-hosted platform like Bastionary to dynamically enforce password complexity based on user behavior and risk profile.

Breach Detection via HIBP

One of the most effective ways to detect password breaches is by using the Have I Been Pwned (HIBP) API. This API allows you to check if a password has been exposed in a data breach.

GET https://api.hibp.com/v3/breaches

By integrating HIBP with your password policy, you can automatically notify users if their password has been compromised. This is a powerful tool for both IT and users.

Bastionary supports HIBP integration out of the box, making it easy to implement this feature in your environment.

Communicating Policy Changes Without Locking Everyone Out

When changing password policies, it's important to communicate these changes clearly to avoid locking out users. Here are some best practices:

  • Clear Communication: Use email or in-app notifications to inform users of policy changes.
  • Grace Period: Allow users a grace period to update their passwords before enforcing new requirements.
  • Testing: Test policy changes in a staging environment before rolling them out to production.

Warning: Always ensure that your password policy is compatible with your authentication platform. Bastionary provides a robust framework for managing password policies, including support for HIBP and dynamic complexity enforcement.

By implementing a well-balanced password policy that is both secure and user-friendly, you can create a better experience for both IT and users. With a platform like Bastionary, you have the tools to manage this effectively.