ISO 27001 Recommended controls for Password policy==================================================A.9.2.4 Allocation of secret Authentication informationAllocation of secret Authentication information shall be controled trhough formal management processA.9.3.1Use of secret authentication informationUsers shall be required to follow the organizations practices in the use of secret authentication information.A.9.4.2Secure log-on proceduresWhere required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.A.9.4.3Password Management Systempassword Management system shall be interactive and shall ensure quality passwords.------------------------------------------------------------------------------Suggested password policy=========================Enforce password historyEnforce maximum password age / Enforce password ExpiryEnforce Minimum password lengthEnforce password complexity Requirement If the password is forgotten what should a user do? Enforce forgotten password procedureSuggestions about password security for end users (should be part of policy as employees should follow below recomendations)=================================================Do not use the same password for official accounts as for other non-official access (e.g., personal ISP account, option trading, benefits, etc.). Wherever possible, do not use the same password for various official access needs. For example, select one password for the QCQA and a separate password for system login. Do not share official passwords with anyone. All passwords are to be treated as sensitive confidential official information. Do not reveal a password over the phone to ANYONE.Do not reveal a password in an email message. Do not reveal a password to the boss. Do not talk about a password in front of others. Do not hint at the format of a password (e.g., "my family name") Do not reveal a password on questionnaires or security forms Do not share a password with family members.Do not reveal a password to co-workers while on vacation Do not use the "Remember Password" feature of applications.Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system.If an account or password is suspected to have been compromised, report the incident to Network Administrator and change all the passwords. ---------------------------------------------------------------------------------Use any password storage system - keepass (open source)- Lastpass (free for desktop and $12/ year for mobile)other recommendations:- password Gieni ($19.95/ year)- SplashID ($19.95 for desktop and $9.95 for mobile)---------------------------------------------------------------------------------