requiring users to use only alphabetic words as passwords
Requiring users to use only alphabetic words as passwords will likely weaken password security because dictionary words are typically the easiest passwords for a hacker to crack.
Strong passwords should typically be at least eight characters in length and contain a mixture of alphabetic, numeric, and symbolic characters. Requiring users to use a minimum of eight characters, including symbols, numbers, and letters, in their passwords and requiring that users periodically change their passwords will likely strengthen password security.
In addition, as part of your organization's password policy, you should configure an account lockout to occur after a certain number of invalid logins. You should configure a password expiration policy. You should also configure a password reuse policy that ensures that passwords cannot be reused until a certain number of password changes have occurred. For example, if you configure a policy such that a password expires in 90 days and that you cannot reuse the last 6 passwords, a user could simply reset the password 7 times to be able to reuse the original password when it comes time for the password to be reset. To prevent users from resetting the password in this manner to bypass your organization's password policy, you should configure a password policy that ensures that passwords cannot be changed more than once a day.
Any generic accounts that are included with any software or device, such as the default administrative or guest accounts, should be removed or disabled. If you do not want to remove or disable these accounts, you should at minimum assign the accounts a complex password. The generic accounts are commonly known, and that is why generic account prohibition or account disablement is encouraged.
If a user forgets his password, your organization should have a password recovery policy in place. If you have to reset the password, you should reset it with something generic and configure the user account so that the user must change the password at the next login.