Password Policies

Guessing passwords is still an effective way to break into systems, and password theft is a major problem. Password policies force users to select good passwords and to change them often, which makes it more difficult to penetrate a computer from the outside. The following recommendations will harden your system against someone who tries to guess or steal passwords:

• Maximum password age: 90 days. This forces users to change their passwords every 90 days. A longer time period opens a large window in which successfully broken or stolen passwords can be used before being changed. A shorter time period may annoy your users and cause rebellion.
• Minimum password age: one day. Minimum password age prevents users from changing their password and immediately changing it back to the old password, effectively eliminating the requirement to change passwords.
• Minimum password length: eight characters. Longer passwords take longer to break and guess.
• Password uniqueness: five passwords. This is the number of remembered passwords for each user. Users can't reuse a password until they have used five different new passwords. If the minimum password age is one day, it would take users five days of changing their password every day before they could reuse a password. This is intended to discourage the use of repeat passwords, and it is very effective.
• Account lockout: lockout after five failed attempts; reset count after ten minutes. This simply reduces the number of tries that a brute-force password-guessing attack can make over a given period of time. Account lockouts can be detected and tracked to indicate a brute-force password-guessing attack.
• Lockout duration: 15 minutes. Remember, you are just trying to discourage the guessing attack, and an employee will be idle during this time. Selecting the reset to forever will force an administrator to unlock the account. This is not recommended and is probably overkill. The costs really mount up when you consider an idle employee and the time of the administrator who must unlock the account.

http//www.softheap.com