Google Linkedin Facebook Youtube Instagram
Geeks Brisbane Logo
1300 600 004
Book Online
Geeks Brisbane Logo

Australian small business password policy template and MFA checklist for 2025

Service:
Password & MFA Setup

Stop weak passwords and stalled MFA rollouts with a copy‑and‑paste plan built for Brisbane SMEs. This guide gives you a clear password policy and an MFA checklist that fits the ACSC Essential Eight and small business cyber security needs.

Grab a ready‑to‑use password policy for Aussie SMEs and a practical MFA checklist aligned to the Essential Eight. Simple steps, recommended tools and rollout tips you can action today.

Key takeaways

  • Use passphrases (14+ characters), no regular forced resets, and block known-bad passwords.
  • Turn on MFA for all users, with stronger methods for admins and remote access.
  • Roll out in waves: pilot, train, enforce, and monitor with clear comms.
  • Password manager + SSO cuts resets and sharing risks.
  • Match settings to ACSC Essential Eight for 2025 and local Brisbane needs.

What it is and core concept

Definition

A password policy is a simple set of rules that tells staff how to create, store and use passwords and passphrases. It covers length, reuse, sharing, MFA, and resets. It also states how admins handle privileged accounts and service accounts, and how the business checks and updates settings.

Why it matters

Most breaches in Brisbane SMEs start with weak or reused passwords or a missed MFA prompt. A clear policy stops guessable logins, cuts lockouts, and gives your team one easy way to work from the office, home, or on the road during storm season.

How it works and step-by-step

Process

Use this quick flow:

  • Decide standards: follow ACSC Essential Eight and modern password guidance.
  • Write the policy: copy the template below and tweak names and dates.
  • Set controls: enforce rules in Microsoft 365 or Google Workspace.
  • Roll out MFA in waves: pilot, train, enforce, support.
  • Adopt a password manager and SSO to reduce friction.
  • Monitor: review logs, reset risks, and improve every quarter.

Featured answer

Use passphrases of 14+ characters, no forced monthly resets, block breached and common passwords, and store logins in a business password manager. Enforce MFA for all users, with stronger methods for admins. Roll out in waves with staff training, backup codes, and clear help steps.

Why passwords still fail in small businesses

  • Password reuse across email, accounting, and file shares.
  • Short complexity rules that staff bypass with patterns like Summer2025!.
  • SMS codes only, which can be slow or blocked while travelling.
  • Shared mailboxes with shared passwords and no MFA.
  • No password manager, so people write logins in notes or spreadsheets.

What the ACSC Essential Eight recommends for passwords and MFA

  • MFA for all remote access, cloud services, and all privileged accounts.
  • MFA for all users is the goal; stronger methods for admins and high‑risk apps.
  • Use passphrases; avoid regular forced resets unless there’s a breach.
  • Disable legacy auth (IMAP/POP/Basic). Use SSO where possible.
  • Review access and admin roles often. Separate admin and user accounts.

Copy-and-paste password policy template (ready to use)

Copy this, add your business name, and share with staff.

  • Scope: All staff, contractors, interns, and shared mailboxes.
  • Standards: Follow ACSC Essential Eight and modern passphrase guidance.
  • Password requirements: Minimum 14 characters. Passphrases allowed. No common or breached passwords. No reuse of last 24 passwords.
  • Storage: Use the approved password manager for all work accounts. No spreadsheets, notes, or browser autofill for sensitive apps.
  • MFA: Required for all users. Admins must use app‑based MFA or hardware keys. SMS allowed only as a backup.
  • Sharing: Do not share passwords. Use the password manager’s shared vaults if a login must be shared.
  • Admins: Separate admin accounts. No daily email on admin accounts. Log and audit admin actions.
  • Service accounts: Use long, random passwords stored in the manager. Rotate when staff leave or when systems change.
  • Resets: Use self‑service reset where available. Change passwords only on suspected compromise or exposure.
  • Lockout: 10 bad attempts triggers lockout for 10 minutes. Self‑service reset or contact IT.
  • New starters: Password manager invite and MFA setup on day one.
  • Leavers: Disable accounts on departure day. Rotate shared credentials within 24 hours.
  • Travel and storms: Carry backup MFA options (backup codes or hardware key).
  • Review: Policy reviewed every 12 months or after a security incident.
  • Exceptions: Must be approved by the manager and documented with a date.

Enforcing your policy in Microsoft 365 and Google Workspace

Microsoft 365 (Entra ID)

  • Turn on Security Defaults or use Conditional Access for MFA on all users.
  • Enable number matching and location in Microsoft Authenticator.
  • Set password protection: 14+ length, banned password list, smart lockout.
  • Disable legacy auth (IMAP/POP/SMTP AUTH where not needed).
  • Create separate admin accounts and require strong MFA or hardware keys.
  • Use Authentication Methods policy to allow app‑based MFA and FIDO2 keys.
  • Enable self‑service password reset with MFA and manager approval.

Google Workspace

  • Security → Password management: set 14+ length and block reuse.
  • Security → 2‑Step Verification: enforce for all users; require for admins.
  • Allow backup codes and app‑based prompts; avoid SMS as primary.
  • Disable Less Secure Apps and POP/IMAP legacy auth where possible.
  • Use Context‑Aware Access for risky locations and devices.

MFA rollout checklist and timeline for teams

Typical Brisbane SME (10–50 staff): 2–4 weeks total.

  • Week 1: Audit users, apps, shared mailboxes, and admin accounts. Pick MFA methods. Prepare how‑to guides and backup codes.
  • Week 2: Pilot 10–20% of users. Fix gaps like legacy devices, old scanners, or POP/IMAP mail.
  • Week 3: Staff training (15‑minute session). Enforce MFA for all non‑admin users. Provide help desk hours.
  • Week 4: Enforce stronger MFA for admins and high‑risk apps. Review logs and adjust policies.
  • Ongoing: Quarterly access reviews. Rotate service account credentials. Test recovery.

Recommended tools: password managers, SSO and authenticator apps

  • Password manager: Choose a business plan with shared vaults, audit logs, and SCIM/SSO support. Examples include Bitwarden, 1Password, or Keeper.
  • SSO: Use Microsoft Entra ID or Google Workspace as the identity hub to cut passwords in apps.
  • Authenticators: Microsoft Authenticator or Google Authenticator for push or TOTP. Authy for multi‑device if policy allows.
  • Hardware keys: FIDO2 keys (e.g., security keys) for admins and finance teams.
  • Backup options: Printed backup codes stored in a safe; one spare hardware key per role.

Training staff and reducing lockouts

  • Run a short demo: how to create a passphrase and use the manager.
  • Explain MFA prompts and number matching; reject any unprompted requests.
  • Provide a 1‑page help sheet with QR steps and support contact.
  • Set up authenticator backup and recovery on day one.
  • Plan for travel: roaming may block SMS; use app‑based MFA or hardware keys.
  • Storm plan: keep backup codes handy; laptops charged; use mobile hotspot if NBN drops.

Common problems in Brisbane

Weather and infrastructure

  • Seasonal heat, storms, humidity impacts.
  • Older buildings and NBN quirks by suburb where relevant.
  • Storms and summer humidity cause power and NBN dropouts in suburbs like The Gap, Chapel Hill, and Birkdale. MFA push may lag; have backup codes.
  • Older buildings in Fortitude Valley and Woolloongabba can have patchy mobile coverage, so SMS codes fail on basement levels.
  • Some FTTN areas (e.g., Carina, Salisbury) see brief sync drops; avoid time‑based codes expiring by syncing phone time.

Troubleshooting and quick checks

Short answer

If you’re locked out, check internet and phone time sync, try a different network, and use app‑based codes or backup codes. If still stuck, contact your admin to issue a temporary access pass or reset. Avoid removing MFA unless there’s a verified identity check.

Quick checks

Try these:

  • Turn off airplane mode; check mobile data or Wi‑Fi.
  • Sync time on your phone; TOTP codes need accurate time.
  • Use a one‑time backup code from your kit.
  • Approve number‑matching prompt only when you’re logging in.
  • Try a known trusted device or network (office, home).
  • Ask admin to unlock or issue a temporary access pass.

Safety notes and when to call a pro

Red flags

Call for help if staff report random MFA prompts, rules were changed without approval, an invoice mailbox was accessed at odd hours, or you spot logins from outside Australia. If a device with an authenticator was lost or stolen, revoke tokens and re‑register straight away.

When to call a professional for help

Get support if you’re migrating from legacy email, have multiple sites with uneven NBN, run line‑of‑business apps that rely on POP/IMAP, or need conditional access by location and device. A pro can set policies, run a clean pilot, and keep the business running during cutover.

Local insights and examples

Brisbane/SEQ examples

We often see shared mailbox risks in CBD agencies, POP/IMAP on legacy scanners in Rocklea warehouses, and SMS‑only MFA struggling in Ipswich and Redland Bay during storms. North Lakes and Springfield teams get quick wins by moving to app‑based MFA and a shared password manager vault.

FAQs

Q1: What are the best 2025 password requirements for an Australian SME?

Use 14+ character passphrases, no regular forced resets, block breached and common passwords, and store logins in a business password manager. Enforce MFA for all users, with stronger methods for admins and remote access. Review access quarterly and disable legacy protocols.

Q2: Does MFA mean I can skip a password manager?

No. MFA helps, but it doesn’t fix reuse or sharing. A password manager generates unique passphrases, stores them safely, and lets teams share access without sending passwords. Use both: manager + MFA + SSO where possible.

Q3: How long will an MFA rollout take for 20–30 staff?

Plan for 2–3 weeks. Spend the first week auditing users and apps and running a pilot. Week two is training and enforcing MFA for most users. Final days are for admin hardening, backup codes, and tidy‑up. Larger or multi‑site teams may need an extra week.

Sources and further reading

This guide aligns with the ACSC Essential Eight maturity model, modern passphrase guidance, and identity best practice in Microsoft Entra ID and Google Workspace. Principles include phishing‑resistant MFA for admins, passphrases over complexity, disabling legacy protocols, and regular access reviews.

Wrap-up and next steps

Use the template, set controls in 365 or Google, and roll out MFA in waves. Train staff with simple steps and backup options for storm days and travel. If you want a clean, fast setup with minimal disruption, book our Brisbane team: Service:
Password & MFA Setup

Share the Post:
Google Linkedin Facebook Youtube Instagram

1300 600 004

Book Online