There is no right answer to this question.
BEST:
- Randomly generated
- mix of Alphabet, numbers, characters, mixed case
- very, very long
- Changed very frequently
WORST
- No password
- password never changes
- password is easily remembered (name, address, etc)
Best is not always functional. Worst is insecure. Somewhere in-between the organization decides what best meets it's needs.
Length: How long is too long or too short?
Retention: How frequent is too frequent, or not frequent enough?
Complexity: How complex should it be?
Black Lists: What words or combination or words should be disallowed.
Passwords which are too complex and change too frequently may cause an increase in lockouts, resets, and possibly calls to the helpdesk. Too simply or change to infrequently could pose a security risk. CA Siteminder/Single Sign On will allow you to tune your Password Policies to meet the needs of your organization.
Suggestions:
- Password uses a combination of alpha-numeric, upper case and lower case, and symbols
- Don't use First or Last Names or yourself, family or friends
- Don't use company names, product names, or network names
- Don't use public information about yourself such as hobbies, sports, etc.
- Don't use keyboard patterns (e.g. QWERTY, qweasd, 12345, etc)
- Don't append an existing passwords with ever increasing integers. (R0man117, R0man18, R0man19, etc)
- Don't use words that can be found in the dictionary