Password Policy

A document that defines password requirements on company-owned systems.

It specifies:

• Minimum length of a password (usually 8 char.)
• Character types required in a password (upper/lower; numbers; special characters/punctuation)
• How many failed attempts before a user is locked out of their system
• How often the user is required to change their password before it expires (iffy on whether to do this or not)
• User cannot reset a new password to an old one
• A company's definition of a 'strong' password
  • Can't contain words from the dictionary
  • Can't contain personally identifiable information

#II