Government Technology

Guidelines for Organization-Wide Password Management

Password Yellow Stickies
Password Yellow Stickies

April 22, 2009 By

We've probably all seen it (or perhaps even been guilty of it ourselves). With so many different passwords to remember, one needs to write them down. And what better place to store these vital bits of digital life than on a yellow sticky tab on your monitor (or other visible surface in your office)?

However, according to computer scientist Karen Scarfone, when employees have so many complex passwords to remember that they keep them on a sticky note attached to their computer screens, that is almost a sure sign that your agency or organization needs a wiser policy for passwords -- one that balances risk and complexity.

Scarfone knows what she's talking about as she is the co-author of new federal guidelines for agency-wide password management just issued for public comment by the National Institute of Standards and Technology (NIST).

The new Guide -- Enterprise Password Management (NIST Special Publication 800-118) -- could be used by local and state agencies as well to help employees understand the real threats presented if sensible password policies are not adopted.

Passwords are a key line of defense for an organization's data security, notes the publication. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms.

However, in Scarfone's view, the nature of the threats against passwords are changing. For example, an organization's password policy might emphasize password strength. It might require that passwords be a certain length and include a variety of letters, digits and symbols. These kind of policies policies were created to protect against brute-force password guessing and cracking.

"Strong passwords don't help as much any more because the threats have changed," Scarfone explained in a statement. "Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."

On the other hand, using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she said.

The guide recommends that users be educated about threats against passwords and how they should respond. And if higher security is needed, then perhaps password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.

Copies of this initial public draft of SP 800-118 Guide to Enterprise Password Management are available at


| More


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
View All

Featured Papers