Government Technology

Guidelines for Organization-Wide Password Management

Password Yellow Stickies
Password Yellow Stickies

April 22, 2009 By

We've probably all seen it (or perhaps even been guilty of it ourselves). With so many different passwords to remember, one needs to write them down. And what better place to store these vital bits of digital life than on a yellow sticky tab on your monitor (or other visible surface in your office)?

However, according to computer scientist Karen Scarfone, when employees have so many complex passwords to remember that they keep them on a sticky note attached to their computer screens, that is almost a sure sign that your agency or organization needs a wiser policy for passwords -- one that balances risk and complexity.

Scarfone knows what she's talking about as she is the co-author of new federal guidelines for agency-wide password management just issued for public comment by the National Institute of Standards and Technology (NIST).

The new Guide -- Enterprise Password Management (NIST Special Publication 800-118) -- could be used by local and state agencies as well to help employees understand the real threats presented if sensible password policies are not adopted.

Passwords are a key line of defense for an organization's data security, notes the publication. Passwords are used to protect data, systems and networks. Effective management reduces the risk of compromising password-based authentication mechanisms.

However, in Scarfone's view, the nature of the threats against passwords are changing. For example, an organization's password policy might emphasize password strength. It might require that passwords be a certain length and include a variety of letters, digits and symbols. These kind of policies policies were created to protect against brute-force password guessing and cracking.

"Strong passwords don't help as much any more because the threats have changed," Scarfone explained in a statement. "Phishing attacks and other forms of social engineering trick users into revealing their passwords. Spyware in web browsers and keystroke loggers provide attackers with all the keystrokes someone makes, including passwords."

On the other hand, using effective password management as described in the guide will reduce the likelihood and impact of password compromises, she said.

The guide recommends that users be educated about threats against passwords and how they should respond. And if higher security is needed, then perhaps password-based authentication should be replaced with, or supplemented by, stronger forms of authentication such as biometrics or personal identity verification (PIV) cards.

Copies of this initial public draft of SP 800-118 Guide to Enterprise Password Management are available at


| More


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Public Safety 2019
Motorola conducted an industry survey on the latest trends in public safety communications. The results provide an outlook of what technology is in store for your agency in the next five years. Download the results to gain this valuable insight.
Improving Emergency Response with Digital Communications
Saginaw County, Mich., increases interoperability, communication and collaboration with a digital voice and data network, as well as modern computer-aided dispatch.
Reduce Talk Time in Your Support Center by 40%
As the amount of information available to citizens and employees grows each year, so do customer expectations for efficient service. Contextual Knowledge makes information easy to find, dropping resolution times and skyrocketing satisfaction.
View All

Featured Papers