Featured Research

from universities, journals, and other organizations

New Guidelines For Organization-wide Password Management

Date:
April 23, 2009
Source:
National Institute of Standards and Technology
Summary:
When an employee has so many complex passwords to remember that he keeps them on a sticky note attached to his computer screen, that could be a sign that your organization needs a wiser policy for passwords, one that balances risk and complexity. New guidelines for institution-wide password management issued by NIST could help.

When an employee has so many complex passwords to remember that he keeps them on a sticky note attached to his computer screen, that could be a sign that your organization needs a wiser policy for passwords, one that balances risk and complexity, explains computer scientist Karen Scarfone. Scarfone is co-author of new guidelines for agency-wide password management issued for public comment by the National Institute of Standards and Technology (NIST).

Designed for federal government agencies, the new Guide to Enterprise Password Management (NIST Special Publication 800-118) can be useful to industry as well to aid in understanding common threats against character-based passwords and how to mitigate those threats within the organization. The guide covers defining and implementing password policy, educating users and measuring the effectiveness of password policies.

Passwords are a key line of defense for an organization’s data security. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms. Topics addressed in the guide include defining password policy requirements and selecting centralized and local password management solutions.

One of the document’s key purposes is to assist organizations in understanding common threats against their character-based passwords and how to mitigate those threats. Agencies need to consider using several mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms.

The guide also is designed to raise awareness of the changing threats against passwords. Most organizations’ password policies rely primarily on password strength—an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols. These policies were created to protect against brute-force password guessing and cracking.

“Strong passwords don’t help as much any more because the threats have changed. Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords,” Scarfone said. Using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she explained. The guide recommends that users be educated about threats against passwords and how they should respond. The publication also suggests that for some applications with high security needs, password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology. Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology. "New Guidelines For Organization-wide Password Management." ScienceDaily. ScienceDaily, 23 April 2009. <www.sciencedaily.com/releases/2009/04/090423105900.htm>.
National Institute of Standards and Technology. (2009, April 23). New Guidelines For Organization-wide Password Management. ScienceDaily. Retrieved July 31, 2014 from www.sciencedaily.com/releases/2009/04/090423105900.htm
National Institute of Standards and Technology. "New Guidelines For Organization-wide Password Management." ScienceDaily. www.sciencedaily.com/releases/2009/04/090423105900.htm (accessed July 31, 2014).

Share This




More Computers & Math News

Thursday, July 31, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services


Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



    Save/Print:
    Share:

    Free Subscriptions


    Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

    Get Social & Mobile


    Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

    Have Feedback?


    Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
    Mobile: iPhone Android Web
    Follow: Facebook Twitter Google+
    Subscribe: RSS Feeds Email Newsletters
    Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins