Computer Password Standards

From Wikipedia, the free encyclopedia

Ensuring proper password security is made up of a number of factors. The first is adequate communication to users as to how protect their accounts and make use of password best practices. Secondly is to define and enforce a strong password policy. Lastly one must consider a reasonable and appropriate lockout policy.

Contents

[edit] User Communication

Effectively communicating password and account policy to users goes along way to ensuring that account, computer and network resources are protected from unauthorized use. User education must be an integral part of any comprehensive security plan. Literature and presentations including examples can be effective ways to convey the following standards to users:

  • Never tell your password to anyone
  • Always use strong passwords
  • use different passwords for all accounts
  • never write down your password and leave it in an easy to find place.

While encouraging users to keep their passwords only in their head means they are the only point of failure it also has some drawbacks. Allowing users to write down their passwords encourages them to use complicated and different passwords. In this case then the piece of paper needs to be physically secured. [1]

  • change passwords immediately if they become stolen, lost, or inadvertently given away
  • change passwords every 30-90 days.
  • Do not use incremental passwords (e.g. pass1, pass2, pass3 etc.)

[edit] Strong Password Policy

Strong passwords are an essential part of any plan to eliminate any unauthorized account use. The following are generally considered the best practices for strong passwords that are not easily crackable [2] Strong passwords have the following characteristics:

  • contains no dictionary words
  • contains no proper names
  • is significantly different from previous passwords
  • is sufficiently complex which means it is eight (8) characters in length and contains a mix of at least three (3) of the following characteristics:
  1. uppercase letters (A – Z)
  2. lowercase letters (a- z)
  3. numerals (0 – 9)
  4. special or non-alphabetic characters (e. g. $, ^, *, @, # etc.) [3]

A complete strong password policy also takes into consideration a number of other factors. For one, users shouldn’t be allowed to reuse the same password when their password expires. Furthermore, passwords should expire every 30 – 90 days depending on the situation. Also, passwords should also have a minimum password age enforced so that the user cannot circumvent any password history policies that are in place

[edit] Account Lockout

The last important component of computer password standards is an appropriate account lockout policy. This policy will disable any user account after an incorrect password is entered after a predetermined amount of time. An effective lockout policy should diminish the feasibility of using password cracking software (which continually attempts to use different password combinations) for gaining unauthorized access. Although. if lockout is set to too low a threshold then authorized users may be lockout just from mis-typing or mis-remembering their passwords. By choosing the appropriate number for password attempts (generally 3-5 attempts) a good policy can strike a balance between user error and sufficient security.[4]

[edit] References

  1. ^ "Microsoft security guru: Jot down your passwords", (2005-05-23). Retrieved on 2007-03-08
  2. ^Hackers can crack most in less than a minute”, (2002-05-22). Retrieved on 2007-03-09
  3. ^Strong Password”, (2005-01-21) Retrieved on 2007-03-09
  4. ^Account Lockout Policy Overview” , (2005-01-21) Retrieved on 2001-03-09

[edit] Sources

Retrieved from "http://en.wikipedia.org../../../c/o/m/Computer_Password_Standards_5039.html"