For years, a client I’ve recently picked up unknowingly walked a cybersecurity tightrope. Their password policy, or rather the lack thereof, left them exposed to significant risks. Users were allowed to have passwords as short as seven characters, and to make matters worse, passwords never expired AND users were prevented from changing their passwords. In today’s digital landscape, where credential compromise is one of the leading causes of breaches, this was a ticking time bomb waiting to explode.

The Hidden Exposure

When I stepped in to uplift their security posture, I found that they had been operating under a dangerously lenient system. Weak passwords meant that even basic brute-force attacks could easily crack credentials. The lack of expiration meant that compromised passwords from years ago might still be valid today. Combine this with the human tendency to reuse passwords across multiple platforms, and the business had been skating on thin ice for far too long.

I ran security assessments to analyse their risk, and the results were alarming. Many accounts had passwords that hadn’t been changed in years. Some of these passwords likely existed in public credential dumps due to past third-party breaches. The company had been lucky—but luck isn’t a security strategy.

The Security Overhaul

To address this, we rolled out a comprehensive password policy uplift for 70 of their 100 users as a first phase. This included:

• Minimum 10-character passwords (I requested 12 but settled on 10)

• Complexity enforcement (mix of uppercase, lowercase, numbers, and symbols)

• Password expiration every 179 days

• Blocking old passwords from being reused

• Multi-factor authentication (MFA) enablement for key personnel (that’s the next project)

Sounds simple, right? Not quite. The implementation came with its own set of challenges. Most users were outright blocked from changing their passwords due to long-standing restrictions. Some accounts had “User cannot change password” flags enabled, along with “Password Never Expires”—a legacy configuration that had gone unchanged for years.

The Roadblocks and Fixes

I had to dive deep into Active Directory to resolve these issues. Using PowerShell, I identified affected accounts and systematically removed these outdated restrictions. Additionally, I found some users were locked out due to previous failed attempts, further complicating the rollout. A combination of manual interventions and automation helped smooth out the transition.

At the same time, I had to work closely with leadership to ensure that users understood the changes. Resistance was expected—after all, many employees had enjoyed the convenience of static passwords for years. But security and convenience often sit at opposite ends of the spectrum. I provided clear communication, and step-by-step guides to make the transition as seamless as possible.

A Step Toward a Secure Future

This project marks a turning point for the company. By strengthening their password policies, they are no longer relying on outdated security practices. Instead, they are taking proactive steps to safeguard their business, their employees, and their customers.

This is a win—not just for IT but for the entire organisation. Security is no longer an afterthought; it’s a priority.  There certainly a lot more to do on for this client, but sometimes you have to take the first step in moving forwards just to get moving, the next step is easier.

If your organisation has been operating with lax password policies, consider this your wake-up call. The threat landscape has changed, and so must we. It’s time to break free from the risky practices of the past and step into a more secure future.

Are you ready to take the next step in your security journey? Let’s talk.