Following a risk analysis, and upon the choice of a risk framework and definition of security policies, a password policy can be derived. 

The password policy is to be set up by organizations, both end user organizations manufacturers and digital platform and system providers.

Password policies should at least include :
- strong passwords or passphrases
- users to regularly update their passwords
- advise the use of multifactor (use an additional authentication device)

Digital Platform providers should provide a mechanism for single sign on or federated authentication, allowing for passwords not to be stored into the platform itself, but by accepting tokens from third party suppliers.