Strong passwords are more difficult to guess using Brute Force and Dictionary Attacks.
Strong passwords are not just for users. Admins and developers need strong passwords most of all. Administrative accounts are far more valuable than user accounts. They have elevated privileges and access to more hardware, software, and information resources.
Character variety increases the search key space.
Require all passwords to include at least one of all of these characters.
A longer password exponentially increases the search key space.
Require all passwords to meet minimum length requirements.
Avoid dictionary words. Dictionary words make passwords too easy for Dictionary Attacks to guess.
Avoid patterns such as keyboard, letter, or number sequences. For example, "qwerty", "abcde", or "1234567890".
Avoid using any personal information which could be known by friends or discovered through research. This includes information related to family, pets, college, hobbies, or sports teams.
It is more secure to pick a random sequence of characters. Computers are far better at generating truly random string than humans. There are many strong password generators online which can create random passwords.
Do not re-use passwords. Having many internal systems which all use the same password allows an attacker who has gained access to one set of credentials to move around freely within a network.
Passwords used for internal systems should never be re-used on other sites or services. The security of their data is not under your control. This is one of the primary ways in which credentials are obtained.
Long, random, unique passwords are often avoided because they are difficult to remember. Passwords can be stored in a password manager so that they do not need to be remembered.
Some login systems require that passwords be changed to a new value on a regular basis. This is a valid security measure, however, it should be noted that it does nothing to make a password more secure. It only invalidates the old password. If an attacker possesses a password, or if a password was re-used on a compromised site, then it is a good security measure to rotate that password out of use. However, many security professionals argue that users feel overwhelmed by being asked to remember another password and choose weak passwords as a result.
