¢Passwords should be
strong.
This means they
are at l east
eight characters and
include multiple character
types , such as upper
case, lower case,
numbers, and symbol s.
¢Passwords should be
changed regularly .
Users should
be forced to
change their passwords
on a regular
basis by setting m ax i m um
password ages, or
password expiration times.
¢Passwords should not
be reused.
Password histories prevent
users f rom using
the same passwords
repeatedly.
¢Default passwords
should be changed.
If a
system comes with
a default password,
that default password
should be changed before
the system is
brought into service.
¢Passwords should not
be written down.
If the
password absolutely must
be written down,
store in a safe
(not just a safe
place).
¢Passwords should not
be shared.
Only one
person should know
the password to
any single account.
If an administrator resets
a password, the
password should be set to
expire immediately. This
requires users to
reset the password
the first time they
log on.
¢Account lockout
policies should be used.
If
a user enters
the wrong password
too many times,
an account lockout pol i cy
locks the account.
This prevents password
guessing attempts
¢