Q

Enterprise password management policy: Finding the balance

Are users at your enterprise creating weak passwords that could potentially lead to serious data breaches? In this identity and access management expert response, find out how to create an enterprise password management policy that deters users from creating weak passwords.

Users in our enterprise seem to constantly create weak passwords. When we tried to implement a stronger password system (requiring numbers, symbols and letters in a mixed configuration), our help desk was overwhelmed with forgotten password requests, and users began taping passwords to their monitors or under their keyboards. Is there a happy medium between the weak passwords that employees can remember and the strong ones that potential hackers could find?
An enterprise password management policy should not be driven by help desk volume but by business risk appetite. How concerned is the company that accounts may be compromised? Based on the current complexities and lock-out values, how many days would it take for someone to compromise an account by automated means? How often are users required to change their passwords? All these questions should ultimately be answered based on the organization's risk posture and security policy.

That said, also consider the risk associated with sticky notes on monitors. Are walkthroughs conducted periodically

to make sure classified data (such as a password) isn't left on a desk? Are there any awareness programs to educate the employees about social engineering threats?

Only the company can answer the question of how complex passwords should be, and the first step is to make sure there is a documented password management policy. The information security group should come up with one soon. The questions I asked above should be a good start to determine what that policy should be. But generally speaking, a password policy should minimally consist of the following key controls:

  • Minimum password length.
  • Specific character content, such as upper and lower case, numerals or special characters.
  • A time-table for changing passwords.
  • The number of times a bad password can be input before the account is locked by the system.
  • The number of iterations before a user can reuse a password, which prevents users from alternating back and forth between two passwords.

For more information:
 

This was first published in May 2009

Dig deeper on Enterprise User Provisioning Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close