Password policies are a subset of access controls. Although access to sensitive information on critical information systems is best controlled by strong authentication, reusable passwords may be adequate for controlling access to less sensitive information, as long as robust password policies are in place.
A password policy should include the following items:
- A minimum length for passwords and instructions on acceptable combinations of numbers, letters, and symbols. Use for example, a password with a minimum of eight characters and at least one character from each of these categories: alpha, numeric, and special characters. Users should also be cautioned to avoid obvious or easily guessed combinations, such as names of family members or pets, birth dates, or common words in other languages.
- Use of an automatic system prompt that requires users to change their passwords after a specified period of time or number of uses. The system should require more frequent changes in passwords for users with extensive access privileges (e.g., system administrators).
- A prohibition on users' sharing their passwords with anyone and on writing down passwords.