1. Make sure passwords aren't found in a password dictionary commonly used by hackers and crackers. Alphanumeric passwords are a good starting point if complex passwords with mixed case or special characters are too difficult for users.
2. Audit passwords quarterly using a testing tool and follow-up privately with all users with weak passwords to educate them.
3. Change user passwords every 60 to 120 days depending on security needs for your organization
4. Implement the account policy features for password resets, reuse, and other protective measures to ensure passwords are rotated in a controlled fashion.
5. Change ALL service account and special Administor passwords at least annually.
6. Have solid standards in place for the Help Desk, so they don't accidently leak out a password (use a PIN system for employee resets). Then in Network Penetration testing call from outside phones to ensure they are following the best practices (e.g., putting service above security needs).
7. Move to AD security and Kerboros for more secure Unicode based password formats. This creates far more complex and secure passwords than the 14 byte approach used by older versions of NT.
8. Users must choose a different password for public Internet based web sites than they use for the corporate networks.
9. Create formal corporate policies to discourage disclosing passwords to others and having them in plain sight (if users need to write down passwords they need hide this - but hopefully they can develop an approach to remember them more easily). Never share passwords in an email message.
10. Develop a good security awareness program on the importance of passwords and how users can help safeguard corporate assets by following the best practices. Remember that a single passwords is often the only barrier preventing an Internet based system from being compromised.
11. Anytime you implement a new software product or technology, make sure all DEFAULT passwords are changed. This is one of the top methods hackers or crackers can compromise corporate security.
12. When employees leave a company, disable their old passwords immediately. If they were previously security or network administrators, change all applicable administrator and service level accounts.
13. Anytime your corporate site is hacked or cracked by unauthorized users, immediately change all effected passwords.
14. For high security needs in a business solution, don't rely on passwords alone, but look at two-factor authentication (smart cards, secure-id, biometrics, etc). Always plan and design security into any new business solution as part of the project planning process.
15.The longer password or pass-phrase is in length, the takes longer to crack. It's also important to strive for an easy-to-remember password. Spend a little time in composing an alphanumeric password that you can easily remember and that is 8 characters or more in length.