Establishment and enforcement of a strong password policy is critical to protecting your organization's information systems. You should address organizational policy and information system configuration related to:

• Password history: The number of unique new passwords that can be used by a user account before a previous password can be reused
• Maximum password age: The period over which a password can be used before it must be changed
• Minimum password age: The period over which a password must be used before the user can change it, preventing the user from immediately returning to an old password
• Minimum password length: The minimum length that the password must be for the information system to accept it
• Complexity requirements: Determines what type of special characters must be included in a password for it to be accepted as valid by the information system

The implementation of a strong password policy will have a direct impact on your user population and must be communicated well in advance for your user community to understand why it must be implemented and what they must do to meet the requirements.