Password policies
Your password policy should balance the need for security with the need for usability. The following are good recommendations:
The primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible.
- Maintain an 8-character minimum length requirement
- Don’t require character composition requirements. For example, *&(^%$
- Don’t require mandatory periodic password resets for user accounts
- Ban common passwords, to keep the most vulnerable passwords out of your system
- Educate your users to not re-use their organization passwords for non-work related purposes
- Enforce registration for multi-factor authentication
- Enable risk-based multi-factor authentication challenges
For a full document, please read this link.