There are common bad practices we need to avoid in passwords:
Not every organization is ready to abandon all password policies such as uppercase letter, lowercase letter, number and a special character in passwords in favor of the new NIST Policy.
Build a password policy that satisfies the organizational needs, however, keep in mind favor the user so they can create a strong password that won’t change until detected in a breach.
Attackers know that humans are creatures of habit. So, when they attempt to guess a user’s password, they start with commonly known breached passwords.
To protect your users, you should always check your corporate user’s passwords against a breached password list. If one of your users’ password matches a password that been previously used, you should disallow it, and force the user to choose another unique password.
StealthAUDIT can detect and report on weak, shared or previously used passwords, allowing administrators to force a password reset and to reduce the risk of compromise.
Once cleaned up, StealthINTERCEPT Enterprise Password Enforcer (EPE) can enforce complexity and uniqueness, by automatically blocking unsafe passwords from being used, to keep your passwords and your organization safe.
…it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.