This Recommendation is intended to analyze the security risks of password related online attacks in service systems, and to provides security measures that could mitigate the security threats and challenges. Based on the features of password related online attacks, the security measures could include CAPTCHA, multi-factor certification, session control, log audit, security design of registration interface, security design of retrieving password interface, security design of login interface, security policy of login password, anomaly pattern analysis, data analysis, policy optimization, hierarchical services, risk early warning, user reminders and other related technical requirements This Recommendation provides security risks analysis and security considerations that will help mitigate password related security risks into each phase of the service life cycle, thus advancing the business application and security requirements together to ensure a balanced approach during the life cycle of service systems. It provides a baseline to all service systems that provide password login mechanisms, and additional filters for critical applications.