Do you have a strict password security policy?
  v4.0 Posted at 1/10/2019 5:53 PM by Christian Morford-Waite

We recommend enforcing strict password policies.

Below is a capture of the settings we use:​​


When passwords have to be changed they must meet the following minimum requirements:

  • Not contain all or part of the user's account name
  • Be at least six characters in length
  • Contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphanumeric characters (e.g., !, $, #, %)
Rember it is always good to use an even number for password length ;) https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/​

Complexity requirements are enforced when passwords are changed or created.

​Every 180 days clients will be required to change their password, they can change it when:

  • Login to their ​computer
  • Terminal server to another computer
  • VPN

This allows users to change their password by making a VPN connection to the office.

We also enforce a lockout policy so if a user gets their password wrong 5 times, their account will be locked out for 15 minutes.​

If you want to change your password sooner, press [ctrl] [alt] [delete] then click "Change Password" button.

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address: