When it comes to your employee password policy, you should decide whether your I.T system requires strict policing or not. If you are a company that is regularly audited, you hold sensitive or private information, etc then this a bit of a no-brainer. A decent policy requires that you use a complex password, it should expire at least every 30 days and you should not be allowed to use up to 5 of your previous passwords. See below for recommended password complexity.
A strong password contains the following characteristics:
- A combination of at least eight characters in length and contains upper and lowercase letters, numbers, and non-alphabetic characters
- At least three characters from each of the previous character types
- It should be different from other previously used passwords by more than one character
A strong password should not contain the following:
- Your user name, real name, or company name
- A complete dictionary word
- Do not leave the password blank
For best practive on password Do’s and Don’ts click here. In my experience though, after enforcing these policies, it means that your employee’s will inevitably use more IT resources than usual. In today’s world we simply have too many pin numbers, online banking credentials and passwords to remember which invariably means that we will forget them from time to time.
So this means you can leave it up to your employee’s, trusting them to initiate their own strong passwords or enforce it centrally from your network domain controller.