Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

CIS Password Policy Guide

Passwords are ubiquitous in modern society. If you have an account on a computer system, there will likely be at least one password that will need to be managed.

Passwords are the easiest form of computer security to implement, and there have been many variations. Over the years, security experts have tried to make passwords harder to crack by enforcing various system specific rules on the creation and use of passwords (referred to as Password Policy in this document).

The goal of this document is to consolidate this new password guidance in one place. Ideally, a single comprehensive password policy can serve as a standard wherever a password policy is needed.

This document has been created using the same methods and communities that are used to develop and maintain the CIS Controls® and CIS Benchmarks™ standards, including additional real-world input from the CIS-managed Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). It is not the intention here to reinvent the wheel, but rather to apply standards and existing documented best practices in a single source.

This guidance was not created to focus on the password itself, but the overall goal of what a password is. Passwords provide strong user authentication and help to keep attackers out of systems.