Risk Assessed Password Policies – Overview

Sep 25th, 2007

Comments: 0
Category: Uncategorized

Risk Assessed Password Policies – Overview

I jumped in earlier talking about password rotation policies without actually mentioning why I think password policies are so important, so I’ll back up and cover that now.
The use of passwords as authenticators for computer systems has been around for a very long time, and for quite some period the security industry has had a focus on reducing their use, as their shortcomings have been well known. Single sign-on, identity management, two factor authentication etc etc have been themes for quite a while.
But here’s the thing, passwords aren’t going away, in fact I’d say that their usage is increasing.
At home we’ve got a hugely increasing number of websites offering us services, from social networking sites like Facebook and myspace to forum sites to e-commerce sites, and all of them use passwords (usually not integrated with any over-arching identity management system)
At work, there’s the rise of application service providers and “software as a service” which leads to company staff accessing external websites for business purposes, again usually without identity management support…
So it means that getting your password policy right is actually getting more important.
The problem I’ve seen is that many companies don’t actually risk assess their password policies. They set one level for users and one for “super users” regardless of the system location and other controls. Combined with that you get “best practice” principles that seem really inappropriate for most systems and it can be quite a mess….
Over a series of posts I’ll look at some examples of where password policies could do with some attention, any feedback/comments welcome 🙂

Add a comment

Your email address will not be shared or published. Required fields are marked *