The password policy is the most obvious component of identity and credential management and probably the most obvious component of information security. Indeed, research firm Frost and Sullivan have cited weak passwords as the major cause of security breaches via social engineering, brute force, or guessing. Thus, best practices for passwords has expanded over the years. A good password now included all of the following.
- minimum of eight characters long
- includes at least one special character
- includes at least one number
- mixes cases for alpha characters
- uses an incoherent phrase (i.e., not an address, etc.)
Of course, the greater the risk, the greater the need for multiple layers of password protection, which means additional one-time passwords, USB tokens and/or biometrics.