Featured Research

from universities, journals, and other organizations

New Guidelines For Organization-wide Password Management

Date:
April 23, 2009
Source:
National Institute of Standards and Technology
Summary:
When an employee has so many complex passwords to remember that he keeps them on a sticky note attached to his computer screen, that could be a sign that your organization needs a wiser policy for passwords, one that balances risk and complexity. New guidelines for institution-wide password management issued by NIST could help.

When an employee has so many complex passwords to remember that he keeps them on a sticky note attached to his computer screen, that could be a sign that your organization needs a wiser policy for passwords, one that balances risk and complexity, explains computer scientist Karen Scarfone. Scarfone is co-author of new guidelines for agency-wide password management issued for public comment by the National Institute of Standards and Technology (NIST).

Designed for federal government agencies, the new Guide to Enterprise Password Management (NIST Special Publication 800-118) can be useful to industry as well to aid in understanding common threats against character-based passwords and how to mitigate those threats within the organization. The guide covers defining and implementing password policy, educating users and measuring the effectiveness of password policies.

Passwords are a key line of defense for an organization’s data security. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms. Topics addressed in the guide include defining password policy requirements and selecting centralized and local password management solutions.

One of the document’s key purposes is to assist organizations in understanding common threats against their character-based passwords and how to mitigate those threats. Agencies need to consider using several mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms.

The guide also is designed to raise awareness of the changing threats against passwords. Most organizations’ password policies rely primarily on password strength—an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols. These policies were created to protect against brute-force password guessing and cracking.

“Strong passwords don’t help as much any more because the threats have changed. Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords,” Scarfone said. Using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she explained. The guide recommends that users be educated about threats against passwords and how they should respond. The publication also suggests that for some applications with high security needs, password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology. Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology. "New Guidelines For Organization-wide Password Management." ScienceDaily. ScienceDaily, 23 April 2009. <www.sciencedaily.com/releases/2009/04/090423105900.htm>.
National Institute of Standards and Technology. (2009, April 23). New Guidelines For Organization-wide Password Management. ScienceDaily. Retrieved September 1, 2014 from www.sciencedaily.com/releases/2009/04/090423105900.htm
National Institute of Standards and Technology. "New Guidelines For Organization-wide Password Management." ScienceDaily. www.sciencedaily.com/releases/2009/04/090423105900.htm (accessed September 1, 2014).

Share This




More Computers & Math News

Monday, September 1, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Apple's Rumored iWatch Could Cost $400

Apple's Rumored iWatch Could Cost $400

Newsy (Aug. 31, 2014) Apple is expected to charge a premium for its still-rumored wearable device. Video provided by Newsy
Powered by NewsLook.com
Young Entrepreneurs Get $100,000, If They Quit School

Young Entrepreneurs Get $100,000, If They Quit School

AFP (Aug. 29, 2014) Twenty college-age students are getting 100,000 dollars from a Silicon Valley leader and a chance to live in San Francisco in order to work on the start-up project of their dreams, but they have to quit school first. Duration: 02:20 Video provided by AFP
Powered by NewsLook.com
JPMorgan Chase Confirms Possible Cyber Attack

JPMorgan Chase Confirms Possible Cyber Attack

Reuters - US Online Video (Aug. 28, 2014) Attackers stole checking and savings account information and lots of other data from JPMorgan Chase, according to the New York Times. Other banks are believed to be victims as well. Fred Katayama reports. Video provided by Reuters
Powered by NewsLook.com
Spend 2 Minutes Watching This Smartwatch Roundup

Spend 2 Minutes Watching This Smartwatch Roundup

Newsy (Aug. 28, 2014) LG announces a round-faced smartwatch, Samsung adds 3G connectivity to its latest wearable, and Apple will reportedly announce the iWatch on Sept. 9. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins