Password policy

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. The password policy may either be advisory or mandated by technical means.

Aspects of password policy

Typical components of a password policy include:

Password length and formation

Many policies require a minimum password length, typically 6 or 8 characters. Some systems impose a maximum length for compatibility with legacy systems.

Some policies suggest or impose requirements on what type of password a user can choose, such as:

*the use of both upper- and lower-case letters (case sensitivity)
*inclusion of one or more numerical digits
*inclusion of special characters
*prohibition of words found in a dictionary or the user's personal information
*prohibition of passwords that match the format of calendar dates, license plate numbers, or other common numbers

As of October 2005, employees of the UK Government are advised to use passwords of the following form:Fact|date=February 2008 consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example "pinray45"). This form is called an Environ password and is case-insensitive. Unfortunately, since the form of this 8-character password is known to potential attackers, the number of possibilities that need to be tested is actually fewer than a 6-character password of no form (486,202,500 vs 2,176,782,336).

Other systems create the password for the users or let the user select one of a limited number of displayed choices.

Password duration

Some policies require users to change passwords periodically, e.g. every 90 or 180 days. Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection.

This policy can often backfire. Since it's hard to come up with 'good' passwords that are also easy to remember, if people are required to come up with many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down. Also, if the policy prevents a user from repeating a recent password, this means that there is a database in existence of everyone's recent passwords (or their hashes) instead of having the old ones erased from memory.

Requiring a very strong password, and not requiring it be changed is often better. However it does have a major drawback: if someone acquires a password, if it's not changed, they may have long term access.

It is necessary to weigh these factors: the likelihood of someone guessing a password because it is weak, vs the likelihood of someone managing to steal, or otherwise acquire without guessing, a password.

Good password practice

Password policies often include advice on proper password management such as:
*never sharing a computer account
*never using the same password for more than one account
*never telling a password to anyone, including people who claim to be from customer service or security
*never writing down a password
*never communicating a password by telephone, e-mail or instant messaging
*being careful to log off before leaving a computer unattended
*changing passwords whenever there is suspicion they may have been compromised
*windows password and application passwords are different
*password should be alpha-numeric

anctions

Password policies may include progressive sanctions beginning with warnings and ending with possible loss of computer privileges or job termination. Where confidentiality is mandated by law, e.g. with classified information, a violation of password policy could be a criminal offense. Some consider a convincing explanation of the importance of security to be more effective than threats of sanctions.

Choosing an appropriate password policy

The level of password strength required depends, in part, on how easy it is for an attacker to submit multiple guesses. Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen. At the other extreme, some systems make available a specially hashed version of the password so anyone can check its validity. When this is done, an attacker can try passwords very rapidly and much stronger passwords are necessary for reasonable security. (See password cracking and password length equation.) Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts.

Usability considerations

Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior. For example:
*Requiring excessively complex passwords and forcing them to be changed frequently can cause users to write passwords down in places that are easy for an intruder to find, such as a Rolodex or post-it note near the computer.

*Users often have dozens of passwords to manage. It may be more realistic to recommend a single password be used for all low security applications, such as reading on-line newspapers and accessing entertainment web sites.

*Similarly, demanding that users never write down their passwords may be unrealistic and lead users to choose weak ones. An alternative is to suggest keeping written passwords in a secure place, such as a safe or an encrypted master file. The validity of this approach depends on what the most likely threat is deemed to be. While writing down a password may be problematic if potential attackers have access to the secure store, if the threat is primarily remote attackers who do not have access to the store, it can be a very secure method.

*Inclusion of special characters can be a problem if a user has to logon a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.

*Some identity management systems allow Self Service Password Reset, where users can bypass password security by supplying an answer to one or more security questions such as "where were you born?," "what's you favorite movie?," etc. Often the answers to these questions can easily be obtained by social engineering, phishing or simple research.

Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a security token or one-time password system, such as S/Key.

Enforcing a Policy

*Enforcing your created policy can be the real issue in any network setting. Security administrators can delegate a set of rules to end-users, but how is this going to be enforced?

*By Mouth Approach - Many companies just enforce their policies by mouth. That is, they just state the password policy and expect network users to adhere to the rules.

*Custom Passfilt - For tech savvy admins, there's the option to create your own custom passfilt. Be careful though as this can be somewhat tricky and can be the cause of many headaches.

ee also

* Random password generator
* Secure error messages in software systems

External links

* [http://psynch.com/docs/choosing-good-passwords.html Choosing good passwords]
* [http://psynch.com/docs/password-management-best-practices.html Password management best practices]
* [http://www.windowsecurity.com/articles/Changing-Passwords-Key-User-Accounts.html Changing Passwords for Key User Accounts]
* [http://research.microsoft.com/displayArticle.aspx?id=417 "Is It Just My Imagination?" article by Suzanne Ross] "Inkblots not only help users create a strong password, but people also seem to enjoy using them."