The following list represents a best-practice approach to password control for sites that need to maintain high security standards, for example, Common Criteria Compliance. See Setting Up a System for Common Criteria Compliance.
- Passwords must be at least 8 characters in length and not exceed 30 characters (unless a longer password is required).
- Passwords must use a combination of alpha, numeric, and special characters.
- The username must be locked after 3 unsuccessful logons and stay locked for 5 minutes.
- The username cannot be part of the password.
- Passwords should expire at least every 90 days.
- Restrict reuse of passwords for at least 270 days.