Strong password policies include requirements on the length of passwords (at least eight characters), characters (at least one number and one other mark), rotation (e.g., quarterly), prohibition of reuse. Strong password controls are the mechanisms you use to make sure that users’ passwords do in fact meet your criteria for strength, rotation, and non-reuse.