Password policies

Your password policy should balance the need for security with the need for usability. The following are good recommendations:

The primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible.

• Maintain an 8-character minimum length requirement
• Don’t require character composition requirements. For example, *&(^%$
• Don’t require mandatory periodic password resets for user accounts
• Ban common passwords, to keep the most vulnerable passwords out of your system
• Educate your users to not re-use their organization passwords for non-work related purposes
• Enforce registration for multi-factor authentication
• Enable risk-based multi-factor authentication challenges

For a full document, please read this link.