Guessing passwords is still an effective way to break
into systems, and password theft is a major problem. Password policies force
users to select good passwords and to change them often, which makes it more
difficult to penetrate a computer from the outside. The following
recommendations will harden your system against someone who tries to guess or
- Maximum password age: 90 days. This forces users to
change their passwords every 90 days. A longer time period opens a large
window in which successfully broken or stolen passwords can be used before
being changed. A shorter time period may annoy your users and cause
- Minimum password age: one day. Minimum password age
prevents users from changing their password and immediately changing it back
to the old password, effectively eliminating the requirement to change
- Minimum password length: eight characters. Longer
passwords take longer to break and guess.
- Password uniqueness: five passwords. This is the
number of remembered passwords for each user. Users can't reuse a password
until they have used five different new passwords. If the minimum password
age is one day, it would take users five days of changing their password
every day before they could reuse a password. This is intended to discourage
the use of repeat passwords, and it is very effective.
- Account lockout: lockout after five failed attempts;
reset count after ten minutes. This simply reduces the number of tries that
a brute-force password-guessing attack can make over a given period of time.
Account lockouts can be detected and tracked to indicate a brute-force
- Lockout duration: 15 minutes. Remember, you are just
trying to discourage the guessing attack, and an employee will be idle
during this time. Selecting the reset to forever will force an administrator
to unlock the account. This is not recommended and is probably overkill. The
costs really mount up when you consider an idle employee and the time of the
administrator who must unlock the account.