===Password Complexity===
====Critical Sites ====ExamplesAll sites should have the following base password policy: any admin/power user login or for all users on a website that has sensitive user data
Implement the following policy:
* Passwords must be 8 characters or greater
* Passwords must require numbers and letters and a special characternumbers ====Critical Sites ====Examples: addons.mozilla.org, bugzilla.mozilla.org, or other criticalsites.
==== Non-Critical Sites ====sites should add the following requirements to the password policy:Examples: No personnel user data stored* Besides the base policy, minimal impact of compromised accountpasswords should also require at least one ormore special characters.
Note:
* account lockout must still be in place for 3 failed attempts
* This policy is only for basic accounts. Any admin accounts must still adhere to the strict password policy identified above.
Implement the following policy:* ==== Global Disallowed Passwords must be 6 characters or greater====* Password must require any two of the following three categories of characters:** numbers** letters** special character* Disallow the following passwords (case insensitive):** password1 (or any number at the end) ** abc123** trustno1** ncc1701** rush2112We should have lists where people pull from where user users can't use** thx1138** Note: This list was created by identifying these passwords from the [http://www.whatsmypass.com/Right off the-top-500-worst-passwords-of-all-time top 100 most common passwords] that would be possible with the identified bat, we should disallow "password complexity policy" andanything like it such as "p@$$w0rd".* plain dictionary words blocking should also be considered
* http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
===Password Rotation===
