Password Policy Explained with Examples

A password policy is a set of rules that force users to use a strong password and periodically update it to meet the security requirements of the company or the organization. A complex password policy enhances network security. Learning the basic elements of a complex password policy is essential for access management.

A complex password policy includes the following elements.

  • Password complexity
  • Password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Change the password at the first login

Password complexity

A complex password includes characters that are hard to guess. Generally, it contains uppercase letters, lowercase letters, numbers, and symbols. Ajx2d4#r$ and Te34$#&*g are examples of a complex password. Complex passwords are nearly impossible to guess. However, they are also hard to remember.

Based on your organization’s requirements and users, you can set different parameters and standards for complexity. For example, if you work in an environment where users are not computer geeks, you can exclude symbols from the password complexity requirement.

Password history

This element prevents users from repeating their passwords. Generally, users remember a few passwords and keep reapting them whenever they have to change their passwords. For example, a user remembers two passwords: Ta3@$d4% and r%s#$4ds. First, he uses the first password. When the password policy forces him to change the password, he changes the password to the second password. When the password policy again forces him to change his password, he changes it back to the first password. He keeps switching between the first and second passwords each time the password policy asks him to update the password.

You can use the password history feature to prevent users from repeating their password. This feature defines the number of passwords the system will remember. The system does not allow a user to use a remembered password. For example, if you configure the feature to remember three passwords, the system will remember the last three user passwords.

Maximum password age

This password policy element defines the maximum password age. It prevents users from using the same password for a long time. For example, if you define the maximum password age as 45 days, the system will force users to change their passwords every 45 days.

Minimum password age

This password policy element defines the minimum password age. It prevents users from frequently changing their passwords. For example, if you define the minimum password age as one day, the system will allow users to change their password only once each day.

Minimum password length

This password policy element defines the length of the password. A long password is more secure than a short password. For example, a password of 10 characters is more secure than a password of 4 characters.

Four characters provide approximately 14 million password possibilities. Ten characters provide 8.4 Ă— 1017 possibilities. A 4-digit password can be easily cracked in a fraction of a day, while a 10-digit password requires much more time and computing power to break.

If you use only letters for the password, you have 54 characters (26 [lowercase] + 26 [uppercase]) to construct a password. You can further add numeric values and symbols to create a lengthy password.

Change the password at the first login

This password policy element forces the user to change his password at the first login. Many companies and organizations do not allow users to create their accounts themself. They provide usernames and passwords to users. Since users get system-generated passwords, they must change their passwords. This policy forces users to use their passwords instead of the default system-generated passwords. The user uses the default system-generated password to set a new custom password. The user cannot access his account until he changes the default password.

Conclusion

In this tutorial, we discussed the password policy and its elements. We learned the techniques that can enhance the security of your systems and networks.

ComputerNetworkingNotes CCNA Study Guide Password Policy Explained with Examples