A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

The password policy may either be advisory or mandated, such as via technical means, like forcing it at the time of account creation or when the password needs to be changed. The password policy can dictate the length of passwords, case sensitivity, mix of lower and upper case, characters allowed, characters, numbers and symbols, reuse of past passwords, how many previous passwords you can't use, blacklisted passwords, and very easy-to-guess words and combinations such as password and 123456.

Also, the password policy can define things such as how frequently you need to change your password and whether to lock the account after X number of wrong attempts. So, now we understand how a password policy works. We have to be careful when we launch a password cracking test, because we can end up blocking thousands of accounts, and that could mean the end of the penetration test and some problems for us.