Password Policy
Establishing a robust password policy is essential for protecting user accounts and organizational data. Below are the recommended standards and best practices.
Length
Minimum 12 characters. Longer passwords increase entropy.
Complexity
- At least one uppercase letter (A‑Z)
- At least one lowercase letter (a‑z)
- At least one digit (0‑9)
- At least one special character (!@#$%^&*)
Prohibited Elements
- Common words or phrases
- Sequences (e.g., "abcd", "1234")
- Personal information (names, birthdays)
Expiration & Reuse
- Passwords must be changed every 180 days.
- Prevent reuse of the last 5 passwords.
Account Lockout
After 5 failed attempts, lock the account for 30 minutes.
Sample Strong Password
V3ry$ecureP@ss123
Implementation Checklist
- Enforce policy via authentication provider.
- Educate users on password creation.
- Provide password strength meter.
- Monitor for compromised credentials.