Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Password management is changing up and down the chain
Wednesday - 4/29/2009, 1:33pm EDT
Senior Internet Editor
When choosing a password, we're all faced with the same problem: should I make it easy to remember or hard to crack? NIST would like some help with the same struggle for balance in setting password policy for agencies.
Karen Scarfone, a computer scientist for the National Institute of Standards and Technology, tells FederalNewsRadio "it's important to set a sound policy that... is providing the right level of security but it's not being overly inconvenient to users."
Scarfone co-authored NIST's "Guide to Enterprise Password Management" which has been issued for public comment.
The focus of the publication isn't so much on what end users can do, it's on what the organization can do, and so we talk a lot in there about policy. It's really important for organizations to think hard about the password policy - the requirements that they're putting on their users.
For example, Scarfone says, you can't just tell people not to use sticky notes stuck to the computer screen to save their passwords.
What we've been trying to do is to help people come to grips with remembering passwords. It used to be that you had maybe one or two passwords to remember, maybe for email and for getting on your computer in the morning, and increasingly we have dozens and dozens of different passwords that we have to remember.
According to NIST, the guide covers defining and implementing password policy, educating users about threats and how they should respond, and measuring the effectiveness of password policies.
NIST is requesting public comment on the draft through May 29, 2009. Comments should be sent by email to firstname.lastname@example.org.
On the Web:
NIST - Guide to Enterprise Password Management (pdf)
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)