Password policies

Passwords are an important characteristic of computer security. A poorly constructed, weak password may result in unauthorized access or exploitation of organization IT resources. This password construction guideline applies to all passwords, including (but not limited to) user-level accounts, system-level accounts, web accounts, email accounts, and local router logins. On a Windows system, you can run secpol.msc from the Command Prompt: 

Strong passwords have the following characteristics:

• They contain at least twelve alphanumeric characters
• They contain both upper and lowercase letters
• They contain at least one number (for example, 0-9)
• They contain at least one special character (for example, !$%^*()_+|~-=\`{}[]:";'?,/)

Following are some of the password policies we must remember:

• Protect your password: It is very challenging to remember your password without writing it down somewhere, so choose a strong password or passphrase that you will easily remember. If you have a lot of passwords, you can use password management tools or vaults, but make sure you choose a strong master key and remember it. Change your password periodically. Even if it hasn't been compromised, you can set a policy to change the password every 90 days, as a standard guideline. Do not use the same password for multiple websites containing sensitive information.
• Set a lockout policy: We've all forgotten a password at some point, and it has taken a few tries to get back into the system. However, you should set an acceptable number of login attempts that when exceeded with unsuccessful attempts, will lock the user out. This will protect your system from any type of Brute-Force attack. 
• Enforce password history: This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between zero and twenty four passwords on domain controllers.
• Minimum password age: This setting determines the minimum number of days a password must be in use before it can be changed. Only when the minimum password age expires are users allowed to change their password. This ensures that users don't change their password too often. The value can be set between zero and nine hundred and ninety-nine days. The default value is one for domain controllers and zero for standalone servers.
• Minimum password length: This setting determines the minimum number of characters a password should contain. The value can be set between zero and fourteen. The default value is seven on domain controllers and zero on stand-alone servers.