Passwords 101: Best Practices for What Your Password Policy Should Include

Helping Your Agency Choose the Right Settings in GoEngage

In a world where cyber threats are increasingly sophisticated, and sensitive data is constantly in motion, strong password practices are no longer optional—they’re essential not just for individual protection, but to safeguard sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI). For Head Start and Community Action agencies using GoEngage, password security isn’t just about individual safety—it’s about protecting family data, program integrity, and federal compliance.

GoEngage provides flexible options for password requirements, allowing each agency to define the right level of security for their teams. But how do you decide which settings are right for you?

Here’s what to consider—and how to implement password hygiene best practices across your organization.

1. Encourage Strong Passwords by Default

While GoEngage allows you to customize password strength, we recommend enabling these minimum standards:

• At least 8–12 characters in length

• A combination of upper- and lowercase letters

• At least one number and one special character

• No reuse of previous passwords

These rules may seem simple, but they make password-guessing attacks significantly harder—and encourage users to think before creating a password like “123456.”

GoEngage Tip: GoEngage Admins can enable or require password complexity from your system settings under the Password Policy section to meet your agency’s internal security guidelines.

2. Require Regular Password Updates

Requiring users to change their passwords periodically reduces the risk of long-term credential exposure. While there’s no one-size-fits-all timeline, a 90- to 180-day reset policy is considered a healthy standard.

• Prompt users with reminders as the deadline approaches

• Avoid enforcing password changes too frequently (e.g., every 30 days), which may encourage weak or repeated passwords

Keeping updates reasonable encourages users to create stronger, memorable passwords.

3. Protect Against Unauthorized Access with GoEngage’s Login Security Features

Beyond password strength, GoEngage proactively monitors suspicious login behavior:

• Automatic Account Lockout: After five consecutive failed login attempts, a user's account is automatically disabled to block potential hacking attempts.

• Failed Login Monitoring: Admins can review unsuccessful login attempts anytime under System >> Monitor Consecutive Failed Login Attempts.

• Email Alerts: Agencies can set up email notifications to immediately alert IT teams when unusual login patterns are detected.

Why it matters: These safeguards ensure that attackers can’t endlessly guess passwords—and your agency gets real-time visibility into possible breach attempts.

Pro Tip: Make it a habit to periodically review the failed login attempt reports and fine-tune your alert settings based on your agency’s risk profile.

4. Avoid Common Password Pitfalls

Help your staff avoid easy-to-guess credentials by educating them on risky behavior such as:

• Using personal information (e.g., birthdays or children’s names)

• Reusing the same password across systems

• Writing passwords down on sticky notes or saving them in unprotected files

Best Practice: Offer an annual cybersecurity training or refresher to reinforce awareness and responsible behavior.

4. Recommend (or Require) Multi-Factor Authentication (MFA)

Even strong passwords can be compromised. That’s why multi-factor authentication is one of the most effective ways to safeguard access—especially for users with elevated permissions.

While MFA is optional in GoEngage, enabling it for administrators, data managers, and other high-access roles is a smart step toward better security.

GoEngage allows flexible MFA options, including requiring MFA when:

• The browser changes

• The user's IP address changes

• The user resets their password

GoEngage Tip: You can enable MFA to be required or if the user’s browser changed or IP address changed for example.

5. Promote Clean Password Hygiene Habits

Password hygiene isn’t just about strength—it’s about behavior. Encourage these best practices throughout your agency:

• Never share passwords—even with coworkers

• Use a secure, encrypted password manager when needed

• Avoid logging in on public or shared computers

• Immediately update passwords if there's any suspicion of compromise

Good hygiene habits close the human gap that hackers often exploit.

Choosing the Right Settings in GoEngage

GoEngage gives administrators the flexibility to customize password settings based on your agency’s security needs. Here’s what you can configure:

• Password Length Requirements

  • System Administrator Passwords: Minimum character requirements

  • Common User Passwords: Minimum character requirements

• Character requirements: uppercase, lowercase, number, and special character

• Password history: prevent reuse of previous passwords up to [user defined] generations (e.g., 15 previous versions)

• Expiration policy: set passwords to expire automatically (e.g., every 90 days)

• Reset link validity: control how long reset links stay active (e.g., 24 hours)

Every agency can (and should) enable these settings based on their staffing models, technology access, and compliance expectations.

Final Thought: Security Starts With You

In protecting sensitive family records—including PII and PHI—strong password policies are critical, but they’re only part of the equation. Pairing robust password rules with account lockout protections, failed login monitoring, and MFA dramatically enhances your agency's cybersecurity readiness.

GoEngage gives you the tools. The best practices are up to you.