HomeGuidesAsset & Data Management › IAM-03
IAM-03 Asset & Data Management 8% of OML score

Are strong passwords required for company systems and applications?

Does your company enforce rules that force employees to use strong, hard-to-guess passwords on all systems they access—email, accounting software, network login, everything? This question is asking whether you've actually set this up and whether it's working.

Why This Matters to Your Business

Weak passwords are stolen or guessed thousands of times daily by attackers. A single compromised employee password can give a hacker access to your customer database, bank transactions, or GST/TDS records—leading to data theft, regulatory fines under DPDP Act, and loss of customer trust. For example, a Delhi-based jewellery e-commerce business was breached in 2022 when an accountant's password (her name + 123) was guessed, exposing 50,000 customer credit card details and resulting in ₹8 lakh in fraudulent charges and loss of customer confidence. Insurance claims and audit findings often cite weak passwords as the root cause, making this a frequent reason for failed compliance audits.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no password requirements at all—employees can log in with 'abc' or '1234' or leave the field blank. No IT policies exist and passwords are written on sticky notes on desk monitors.

Level 1
Initial

You've mentioned to staff that passwords should be 'strong' but there are no technical rules enforced by the system itself. Some people use good passwords, others still use 'password123' or their name, and nothing stops them.

Level 2
Developing

Your email and main accounting software enforce a minimum password length (e.g., 8 characters) and require a mix of letters and numbers, but older systems like WiFi or file server don't have this rule. You have a password policy written down but nobody checks if it's being followed.

Level 3
Defined

All systems enforce strong password rules (minimum 12 characters, uppercase, lowercase, numbers, symbols) and require password changes every 90 days. You have a documented password policy signed by management, and IT reviews password strength during onboarding.

Level 4
Managed

Password rules are enforced across all systems including WiFi, printers, and third-party applications. You use a password manager for critical accounts, audit logs show password change history, and new employees must sign a password security acknowledgment. IT proactively monitors for weak passwords quarterly.

Level 5
Optimised

Multi-factor authentication (MFA) is enabled on all critical systems and email, eliminating password-only attacks entirely. A password manager is mandatory for all staff, password strength is audited continuously via automation, and you conduct annual penetration testing to verify nobody can break in with brute-force attacks.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Write a simple one-page password policy requiring minimum 8 characters, at least one number, and one capital letter. Distribute it via email and get signed acknowledgment from all staff. Owner or IT person 1 day
1 → 2 Enable password complexity rules in your accounting software, email, and WiFi router settings. Test that the system rejects simple passwords like '123456' or 'welcome'. IT person or software admin 2-3 days
2 → 3 Upgrade password policy to require 12+ characters including uppercase, lowercase, number, and symbol. Set all systems to enforce 90-day password expiry. Document policy in writing and get management approval. IT person with owner sign-off 2-4 weeks
3 → 4 Deploy a password manager (e.g., Bitwarden) or configure one in your domain management. Set up monthly scripts to audit weak passwords and non-compliant accounts. Train all staff on password manager use. IT person or external consultant 1-2 months
4 → 5 Roll out MFA on email, VPN, and all critical business applications using TOTP or hardware keys. Conduct annual security assessment and penetration testing to verify password policy effectiveness. IT person with external security professional Ongoing quarterly reviews and annual penetration tests
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written and signed password policy document dated and approved by management, specifying minimum length (12+), complexity (uppercase, lowercase, number, symbol), and expiry rules (90 days)
  • Screenshot or configuration report from your email system (Gmail, Outlook, etc.) showing password complexity rules are enforced
  • Screenshot or configuration report from your main business application (accounting, ERP, CRM) showing password rules are active
  • Staff acknowledgment record—email confirmations or signed forms showing employees received and understood the password policy
  • Password audit report from your IT person showing compliance check results (date, how many accounts checked, how many passed/failed)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your current password policy. When was it last reviewed and updated?"
  • "Log into your email system and demonstrate that the system rejects a password like 'Test123'—what rules are actually enforced?"
  • "How do you ensure employees follow this policy? Do you audit passwords, and if so, how often and with what results?"
  • "If an employee forgets their password, how does your system verify their identity before resetting it? Can you show me that process?"
  • "Do all systems (email, accounting, WiFi, servers, applications) have the same password rules, or do some systems allow weak passwords?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Set up and enforce strong password rules across Windows computers Windows Group Policy (built into Windows Server; free if you already have a server) Microsoft Entra ID/Azure AD (₹400-2000/user/year, minimum 5 users)
Securely store and manage passwords so employees don't reuse weak passwords Bitwarden (free version for up to ₹0 per user; good for small teams) LastPass (₹1200-2000/user/year) or 1Password (₹3500-4500/user/year)
Check if passwords are in known breach databases and flag weak passwords Have I Been Pwned API (free, requires technical setup) or integrated into Bitwarden Specops uReset or Keepass with plugins (₹50,000-200,000/year)
Add a second layer of protection beyond passwords Google Authenticator or Microsoft Authenticator apps (free to use; requires compatible email/system) Okta or Duo Security (₹100,000-500,000/year depending on users)
Audit which staff members have weak passwords and when they last changed them Manual check using built-in OS tools (net user command on Windows) or simple spreadsheet Netwrix Auditor (₹200,000-400,000/year) or ManageEngine ADManager Plus (₹150,000-300,000/year)
🛡
How This Makes You More Resilient
When strong passwords are enforced, the most common attack vector—guessing or stealing simple passwords—becomes impractical for attackers, meaning your customer data and financial records are far less likely to be breached due to a careless login. This directly reduces the risk of regulatory fines under DPDP Act, insurance claim denials, and the operational chaos that comes from a data breach (customers calling, compliance investigations, credit card chargebacks). You'll also pass customer security audits and RFQ questionnaires more easily, protecting your reputation and future business.
⚠️
Common Pitfalls in India
  • Setting a password policy but not enforcing it technically—staff ignore it because the system accepts weak passwords, and IT never audits. You'll appear to pass the audit but have no real protection.
  • Forcing password expiry every 30 days without a password manager—employees write passwords on sticky notes, share them via WhatsApp, or use predictable patterns (Month123, Dec123, etc.) making passwords easier to crack.
  • Enforcing strong passwords only on email and accounting software but ignoring WiFi, file servers, or legacy systems—attackers compromise the weakest link, often the WiFi password which is 'welcome123' and posted on the office door.
  • Not training staff on why strong passwords matter—employees view it as IT bureaucracy and reuse the same password across multiple systems, so one breach exposes everything.
  • Assuming customer-provided credentials (GST portal, bank portals, government systems) are secure—many Indian government portals have weak authentication, so don't rely on them; protect your own systems with strong passwords.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8(2)(f) and Schedule 2 (Reasonable Security Practices)—requires appropriate technical and organizational measures to secure personal data, including access control via strong authentication
CERT-In 2022 Guidelines Rule 4(d) on 'Information Security Practices and Procedures'—mandates strong password policies for all connected systems
ISO 27001:2022 Annex A.5.3 (Access control), Annex A.9.2 (User access management), and Annex A.9.4 (Access rights review)—requires authentication mechanisms and strong password controls
NIST CSF 2.0 Govern (GV.AC-1) and Protect (PR.AC-1)—emphasizes identity and access management as a foundation of security governance

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →