Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
Password management is changing up and down the chain
Wednesday - 4/29/2009, 1:33pm EDT
Senior Internet Editor
When choosing a password, we're all faced with the same problem: should I make it easy to remember or hard to crack? NIST would like some help with the same struggle for balance in setting password policy for agencies.
Karen Scarfone, a computer scientist for the National Institute of Standards and Technology, tells FederalNewsRadio "it's important to set a sound policy that... is providing the right level of security but it's not being overly inconvenient to users."
Scarfone co-authored NIST's "Guide to Enterprise Password Management" which has been issued for public comment.
The focus of the publication isn't so much on what end users can do, it's on what the organization can do, and so we talk a lot in there about policy. It's really important for organizations to think hard about the password policy - the requirements that they're putting on their users.
For example, Scarfone says, you can't just tell people not to use sticky notes stuck to the computer screen to save their passwords.
What we've been trying to do is to help people come to grips with remembering passwords. It used to be that you had maybe one or two passwords to remember, maybe for email and for getting on your computer in the morning, and increasingly we have dozens and dozens of different passwords that we have to remember.
According to NIST, the guide covers defining and implementing password policy, educating users about threats and how they should respond, and measuring the effectiveness of password policies.
NIST is requesting public comment on the draft through May 29, 2009. Comments should be sent by email to email@example.com.
On the Web:
NIST - Guide to Enterprise Password Management (pdf)
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)