Passwords management

The rules and policies surrounding password complexity and lifetime should provide clear guidance about whether or not a password is sufficiently resistant to attacks of various types, including brute force, dictionary and social engineering. It should not be up to the user to evaluate password strength.

Configure your technical password for below security configurations:

  • Use of passphrases
  • Users avoid obvious password (blacklists)
  • Users don't use the same password elsewhere
  • Minimum password length
  • No maximum length
  • Accounts are locked after 10 unsuccessful attempts
  • The password guesses are limited to max 10 attempts within 5 minutes

Passwords policies from official advising structures evolved critically. We cannot advise anymore to have a password longer than 10 characters with a combination of character types.

The US National Institute of Standards and Technology (NIST), one of the world recognized references, issued new guidelines for password :

  • No need to change your password every month if you use multi-factors authentification
    Studies have shown that it is counterproductive to good password security to require a change of password often even if that was the practice for a long time. It's more valuable to make use of multi-factor authentification both with a passphrase, easy to remember, hard to guess.
  • Use a passphrase instead of a complex password
    Mixing upper case letters, numbers and letters are useless and tricky to keep in mind. Instead, try to find a combination of words easy to remember but hard to guess. Passwords that are too easy can be attacked by specialist software that combines brute force attacks (dictionaries, hashes…) with variation algorithms for popular characters. Using a personal passphrase significantly extends the time it takes for the software to hack it.


Have a written password security guideline, that specifies minimum password length, brute force rpotection, stronger controls such as MFA,...


Implement/configure your technical password security configurations