Password policy is a trivial security control related to authentication. Passwords are commonly prone to dictionary attacks, brute-force attacks, and password-guessing attacks. If the application allows weak passwords to be set, then they could easily get compromised. A strong password policy typically has the following conditions:
- Minimum length of 8
- Must contain at least 1 lower case character, 1 uppercase character, 1 digit, and 1 special character.
- Password minimum age
- Password maximum age
- Password history restriction
- Account lockout
It is important to note that the password policy must be enforced both on the client as well as the server side.