Probably you’ve already heard about this vicious circle thousand times:
Requiring that passwords be long and complex makes it less likely that attackers will guess or crack them, but it also makes the passwords harder for users to remember, and thus more likely to be stored insecurely. This increases the likelihood that users will store their passwords insecurely and expose them to attackers.
So, how to work out an appropriate password policy? Need help? Find some tips in NIST (The National Institute of Standards and Technology) study, GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT), which “has been prepared for use by Federal agencies”, but also “may be used by nongovernmental organizations on a voluntary basis”.
Here are some nuggets from the paper:
• Organizations should review their password policies periodically, particularly as major technology changes occur (e.g., new operating system) that may affect password management.
• Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers, and shoulder surfing, and how they should respond when they suspect an attack may be occurring.
• Organizations should consider having different policies for password expiration for different types of systems, operating systems, and applications, to reflect their varying security needs and usability requirements.
Do you have something to add? So, review and revise it freely – the paper is not subject to copyright. ;)