April 22, 2009 By Blake Harris
We've probably all seen it (or perhaps even been guilty of it ourselves). With so many different passwords to remember, one needs to write them down. And what better place to store these vital bits of digital life than on a yellow sticky tab on your monitor (or other visible surface in your office)?
However, according to computer scientist Karen Scarfone, when employees have so many complex passwords to remember that they keep them on a sticky note attached to their computer screens, that is almost a sure sign that your agency or organization needs a wiser policy for passwords -- one that balances risk and complexity.
Scarfone knows what she's talking about as she is the co-author of new federal guidelines for agency-wide password management just issued for public comment by the National Institute of Standards and Technology (NIST).
The new Guide -- Enterprise Password Management (NIST Special Publication 800-118) -- could be used by local and state agencies as well to help employees understand the real threats presented if sensible password policies are not adopted.
Passwords are a key line of defense for an organization's data security, notes the publication. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms.
However, in Scarfone's view, the nature of the threats against passwords are changing. For example, an organization's password policy might emphasize password strength. It might require that passwords be a certain length and include a variety of letters, digits and symbols. These kind of policies policies were created to protect against brute-force password guessing and cracking.
"Strong passwords don't help as much any more because the threats have changed," Scarfone explained in a statement. "Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."
On the other hand, using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she said.
The guide recommends that users be educated about threats against passwords and how they should respond. And if higher security is needed, then perhaps password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.
Copies of this initial public draft of SP 800-118 Guide to Enterprise Password Management are available at http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf.