Implement password policies meeting minimum security standards. ## Acceptance criteria - [ ] Minimum length: 12 characters - [ ] Complexity: uppercase, lowercase, number, special character - [ ] Password history: prevent reuse of last 24 passwords - [ ] Maximum age: 90 days - [ ] Account lockout: 5 failed attempts, 30-minute lockout --- **Source:** § 2.5.2 > Covered entities MUST implement password policies meeting minimum security standards.
Implement password policies meeting minimum security standards.
Acceptance criteria
Source: § 2.5.2