Boston Venture Capital Operational Support – The Password Policy


Is a password policy a good or bad thing to have?

Information systems support teams in large and small venture capital firms often have a stringent password policy requiring all employees to create a new secure password every 30, 60 or 90 days. They frequently give strict guidelines that must be followed, such as:

  • Must have both capital and lower-case letters
  • Must contain both letter and numbers
  • Must not be an actual word in the dictionary

To answer the very first question, yes a password policy is a good thing to have. A password is the first line of defense against the unauthorized use of your computer, data and network.

As an employee, a password policy can be a complete pain and feel like a waste of time. Password policies also raise questions of trust and can sometimes be ambiguous. Can I let other employees use my computer to get information if I am not there to help them? What if my password is already highly secure? Do I need to change the password in every program that I have a password for? Should I only change the network password? How am I going to remember a new password every 60 days?

The whole point of having a password is to make your information more secure. If you have a highly secure password that you have not written down, nor shared with anyone, you should not have to change it often. Here are suggestions to keep your password secure:

  • Never share your password with anyone
  • Never save a password when prompted by your browser or any other programs
  • Never send your password through email
  • Never write your password down
  • Use different passwords for different programs

If you want to check and see if your password is secure, you can check out Microsoft Online Safety password strength checker.

So, a password policy is a good thing, especially if you are one of the top venture capital firms. I do however think that if you create a secure password, you should not have to change it every 30, 60 or 90 days. I think creating a secure password that passes as ‘very strong’ in a password strength checker and changing it every 6 months should be sufficient if you follow the above security protocol.