Educate users

Applies To: Windows SBS 2008

After implementing strong password policies, educate users about strong and weak passwords. Ask users to treat their password as they would private information, such as a credit card personal identification number (PIN).

Following are typical guidelines for creating a strong password. When implemented, they provide protection for your local network.

A password should not include any of the following:

  • All or part of the user's account name.

  • User's name or e-mail alias.

  • Name of the user's child, parent, spouse/partner, or friend.

  • Any word found in a dictionary.

  • Old password that is reused by appending numbers.

  • User's birth date.

  • User's phone number.

  • User's Social Security Number or other identification number.

  • Any easily obtained personal information (for example, a city of birth).

A strong password consists of the following:

  • At least eight characters.

  • Characters from three of the following four categories:

    • Uppercase letters (A through Z)

    • Lowercase letters (a through z)

    • Numbers (0 through 9)

    • Non-alphanumeric characters (for example, !, $, #, %)

For more information about password policies, see "Selecting Secure Passwords" at the Microsoft Web site (