# Implement passwords policy

- Strictly use strong passwords with minimum 8 characters comprised of alpha numerical and special characters, as was described in section 6.3;
- Users should have different passwords for different accounts;
- All default passwords must be changed upon installation of new software or new  
    Operating System (OS);
- Failed login attempts should be limited to three times and then lock the user;
- Account lockout duration should be at minimum 20 minutes at maximum 1hour.
- A two-factor authentication should be set up for critical applications and/or systems.