Password security and password management are hazards to watch out for.
Some common security tactics include, but are not limited to:
- minimum character length (some argue 6, some argue 8)
- case sensitivity
- numeric values
- special characters ()'"/?`~!@#$%^&*-=+ and the space character
- password expiration
- password history differentiation (meaning the password cannot be similar to the x number of historical passwords)
Some argue that doing the above is enough, but others will argue that it's still not enough.
Others argue that complexity of passwords should be sufficient to secure the password, but the problems with more complex passwords is they are harder to remember for the user, which means they'll write it down or use a variation of the previous password; both of which are risks to take into account.
Not to mention how some believe letter substitution is sufficient; like, instead of hackers for a password, you use 4@ck3r5. This doesn't help as much as people believe if someone is using a common password database with subsitution algorithm.
One interesting route is to have users use passphrases, instead of passwords. The difference? Passphrases are easier to remember and inherently take into account all of you password complexity requirements. Example: I'm the 1st king of England! is as complex, if not more complex than adf983l3.2-aa!#s0 and the former is easier to remember.
Note: employing a password policy isn't the be-all-end-all of protecting your systems from intruders. It's just one in a litany of other counter-measures you need to put in place, and you should always weigh your security policy against the aptitude of your systems and users. You can be balls-to-the-walls secured with the latest, greatest and most secure system in the world, but if your user still writes their passwords on sticky notes and tapes it to the side of their monitor, you've got bigger problems.
