A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B [REF-1053] for further information on password requirements.
Consider a second
authentication factor beyond the password, which prevents the
password from being a single point of failure. See CWE-308 for
further information.
Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
Previously, "password expiration" was
widely advocated as a defense-in-depth approach to
minimize the risk of weak passwords, and it has become
a common practice. Password expiration requires a
password to be changed within a fixed time window (such
as every 90 days). However, this approach has
significant limitations in the current threat
landscape, and its utility has been reduced in light of
the adoption of related protection mechanisms (such as
password complexity and computational effort), along
with the recognition that regular password changes
often caused users to generate more predictable
passwords. As a result, this is now a Discouraged
Common Practice [REF-1488] [REF-1489], especially as
the sole factor in protecting passwords. It is still
strongly encouraged to force password changes in case
of evidence of compromise, but this is not the same as
a forced "expiration" on an arbitrary time
frame.