Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

Guidelines for Organization-Wide Password Management

Password Yellow Stickies
Password Yellow Stickies

April 22, 2009 By

We've probably all seen it (or perhaps even been guilty of it ourselves). With so many different passwords to remember, one needs to write them down. And what better place to store these vital bits of digital life than on a yellow sticky tab on your monitor (or other visible surface in your office)?

However, according to computer scientist Karen Scarfone, when employees have so many complex passwords to remember that they keep them on a sticky note attached to their computer screens, that is almost a sure sign that your agency or organization needs a wiser policy for passwords -- one that balances risk and complexity.

Scarfone knows what she's talking about as she is the co-author of new federal guidelines for agency-wide password management just issued for public comment by the National Institute of Standards and Technology (NIST).

The new Guide -- Enterprise Password Management (NIST Special Publication 800-118) -- could be used by local and state agencies as well to help employees understand the real threats presented if sensible password policies are not adopted.

Passwords are a key line of defense for an organization's data security, notes the publication. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms.

However, in Scarfone's view, the nature of the threats against passwords are changing. For example, an organization's password policy might emphasize password strength. It might require that passwords be a certain length and include a variety of letters, digits and symbols. These kind of policies policies were created to protect against brute-force password guessing and cracking.

"Strong passwords don't help as much any more because the threats have changed," Scarfone explained in a statement. "Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."

On the other hand, using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she said.

The guide recommends that users be educated about threats against passwords and how they should respond. And if higher security is needed, then perhaps password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.

Copies of this initial public draft of SP 800-118 Guide to Enterprise Password Management are available at


| More


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All