In This Guide
- Key takeaways
- What it is and core concept
- How it works and step-by-step
- Why passwords still fail in small businesses
- What the ACSC Essential Eight recommends for passwords and MFA
- Copy-and-paste password policy template (ready to use)
- Enforcing your policy in Microsoft 365 and Google Workspace
- MFA rollout checklist and timeline for teams
- Recommended tools: password managers, SSO and authenticator apps
- Training staff and reducing lockouts
- Common problems in Brisbane
- Troubleshooting and quick checks
- Safety notes and when to call a pro
- When to call a professional for help
- Local insights and examples
- Frequently asked questions
Key takeaways
- Use passphrases (14+ characters), no regular forced resets, and block known-bad passwords.
- Turn on MFA for all users, with stronger methods for admins and remote access.
- Roll out in waves: pilot, train, enforce, and monitor with clear comms.
- Password manager + SSO cuts resets and sharing risks.
- Match settings to ACSC Essential Eight for 2025 and local Brisbane needs.
$205/hr onsite · $125/hr remote · 4.9 stars across 100+ Google reviews · same-day booking · all 600+ Brisbane suburbs · no fix, no fee guarantee.
What it is and core concept
Definition
A password policy is a simple set of rules that tells staff how to create, store and use passwords and passphrases. It covers length, reuse, sharing, MFA, and resets. It also states how admins handle privileged accounts and service accounts, and how the business checks and updates settings.
Why it matters
Most breaches in Brisbane SMEs start with weak or reused passwords or a missed MFA prompt. A clear policy stops guessable logins, cuts lockouts, and gives your team one easy way to work from the office, home, or on the road during storm season.
How it works and step-by-step
Process
Use this quick flow:
- Decide standards: follow ACSC Essential Eight and modern password guidance.
- Write the policy: copy the template below and tweak names and dates.
- Set controls: enforce rules in Microsoft 365 or Google Workspace.
- Roll out MFA in waves: pilot, train, enforce, support.
- Adopt a password manager and SSO to reduce friction.
- Monitor: review logs, reset risks, and improve every quarter.
Featured answer
Use passphrases of 14+ characters, no forced monthly resets, block breached and common passwords, and store logins in a business password manager. Enforce MFA for all users, with stronger methods for admins. Roll out in waves with staff training, backup codes, and clear help steps.
Need a hand?
Same-day onsite or remote support across Brisbane. No fix, no fee. Most jobs sorted in one visit.
Book a Geek — From $125/hrWhy passwords still fail in small businesses
- Password reuse across email, accounting, and file shares.
- Short complexity rules that staff bypass with patterns like Summer2025!.
- SMS codes only, which can be slow or blocked while travelling.
- Shared mailboxes with shared passwords and no MFA.
- No password manager, so people write logins in notes or spreadsheets.
What the ACSC Essential Eight recommends for passwords and MFA
- MFA for all remote access, cloud services, and all privileged accounts.
- MFA for all users is the goal; stronger methods for admins and high‑risk apps.
- Use passphrases; avoid regular forced resets unless there’s a breach.
- Disable legacy auth (IMAP/POP/Basic). Use SSO where possible.
- Review access and admin roles often. Separate admin and user accounts.
Copy-and-paste password policy template (ready to use)
Copy this, add your business name, and share with staff.
- Scope: All staff, contractors, interns, and shared mailboxes.
- Standards: Follow ACSC Essential Eight and modern passphrase guidance.
- Password requirements: Minimum 14 characters. Passphrases allowed. No common or breached passwords. No reuse of last 24 passwords.
- Storage: Use the approved password manager for all work accounts. No spreadsheets, notes, or browser autofill for sensitive apps.
- MFA: Required for all users. Admins must use app‑based MFA or hardware keys. SMS allowed only as a backup.
- Sharing: Do not share passwords. Use the password manager’s shared vaults if a login must be shared.
- Admins: Separate admin accounts. No daily email on admin accounts. Log and audit admin actions.
- Service accounts: Use long, random passwords stored in the manager. Rotate when staff leave or when systems change.
- Resets: Use self‑service reset where available. Change passwords only on suspected compromise or exposure.
- Lockout: 10 bad attempts triggers lockout for 10 minutes. Self‑service reset or contact IT.
- New starters: Password manager invite and MFA setup on day one.
- Leavers: Disable accounts on departure day. Rotate shared credentials within 24 hours.
- Travel and storms: Carry backup MFA options (backup codes or hardware key).
- Review: Policy reviewed every 12 months or after a security incident.
- Exceptions: Must be approved by the manager and documented with a date.
Enforcing your policy in Microsoft 365 and Google Workspace
Microsoft 365 (Entra ID)
- Turn on Security Defaults or use Conditional Access for MFA on all users.
- Enable number matching and location in Microsoft Authenticator.
- Set password protection: 14+ length, banned password list, smart lockout.
- Disable legacy auth (IMAP/POP/SMTP AUTH where not needed).
- Create separate admin accounts and require strong MFA or hardware keys.
- Use Authentication Methods policy to allow app‑based MFA and FIDO2 keys.
- Enable self‑service password reset with MFA and manager approval.
Google Workspace
- Security → Password management: set 14+ length and block reuse.
- Security → 2‑Step Verification: enforce for all users; require for admins.
- Allow backup codes and app‑based prompts; avoid SMS as primary.
- Disable Less Secure Apps and POP/IMAP legacy auth where possible.
- Use Context‑Aware Access for risky locations and devices.
MFA rollout checklist and timeline for teams
Typical Brisbane SME (10–50 staff): 2–4 weeks total.
- Week 1: Audit users, apps, shared mailboxes, and admin accounts. Pick MFA methods. Prepare how‑to guides and backup codes.
- Week 2: Pilot 10–20% of users. Fix gaps like legacy devices, old scanners, or POP/IMAP mail.
- Week 3: Staff training (15‑minute session). Enforce MFA for all non‑admin users. Provide help desk hours.
- Week 4: Enforce stronger MFA for admins and high‑risk apps. Review logs and adjust policies.
- Ongoing: Quarterly access reviews. Rotate service account credentials. Test recovery.
Recommended tools: password managers, SSO and authenticator apps
- Password manager: Choose a business plan with shared vaults, audit logs, and SCIM/SSO support. Examples include Bitwarden, 1Password, or Keeper.
- SSO: Use Microsoft Entra ID or Google Workspace as the identity hub to cut passwords in apps.
- Authenticators: Microsoft Authenticator or Google Authenticator for push or TOTP. Authy for multi‑device if policy allows.
- Hardware keys: FIDO2 keys (e.g., security keys) for admins and finance teams.
- Backup options: Printed backup codes stored in a safe; one spare hardware key per role.
Training staff and reducing lockouts
- Run a short demo: how to create a passphrase and use the manager.
- Explain MFA prompts and number matching; reject any unprompted requests.
- Provide a 1‑page help sheet with QR steps and support contact.
- Set up authenticator backup and recovery on day one.
- Plan for travel: roaming may block SMS; use app‑based MFA or hardware keys.
- Storm plan: keep backup codes handy; laptops charged; use mobile hotspot if NBN drops.
Common problems in Brisbane
Weather and infrastructure
- Seasonal heat, storms, humidity impacts.
- Older buildings and NBN quirks by suburb where relevant.
- Storms and summer humidity cause power and NBN dropouts in suburbs like The Gap, Chapel Hill, and Birkdale. MFA push may lag; have backup codes.
- Older buildings in Fortitude Valley and Woolloongabba can have patchy mobile coverage, so SMS codes fail on basement levels.
- Some FTTN areas (e.g., Carina, Salisbury) see brief sync drops; avoid time‑based codes expiring by syncing phone time.
Troubleshooting and quick checks
Short answer
If you’re locked out, check internet and phone time sync, try a different network, and use app‑based codes or backup codes. If still stuck, contact your admin to issue a temporary access pass or reset. Avoid removing MFA unless there’s a verified identity check.
Quick checks
Try these:
- Turn off airplane mode; check mobile data or Wi‑Fi.
- Sync time on your phone; TOTP codes need accurate time.
- Use a one‑time backup code from your kit.
- Approve number‑matching prompt only when you’re logging in.
- Try a known trusted device or network (office, home).
- Ask admin to unlock or issue a temporary access pass.
Safety notes and when to call a pro
Red flags
Call for help if staff report random MFA prompts, rules were changed without approval, an invoice mailbox was accessed at odd hours, or you spot logins from outside Australia. If a device with an authenticator was lost or stolen, revoke tokens and re‑register straight away.
When to call a professional for help
Get support if you’re migrating from legacy email, have multiple sites with uneven NBN, run line‑of‑business apps that rely on POP/IMAP, or need conditional access by location and device. A pro can set policies, run a clean pilot, and keep the business running during cutover.
Local insights and examples
Brisbane/SEQ examples
We often see shared mailbox risks in CBD agencies, POP/IMAP on legacy scanners in Rocklea warehouses, and SMS‑only MFA struggling in Ipswich and Redland Bay during storms. North Lakes and Springfield teams get quick wins by moving to app‑based MFA and a shared password manager vault.