Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
Password management is changing up and down the chain
Wednesday - 4/29/2009, 1:33pm EDT
Senior Internet Editor
When choosing a password, we're all faced with the same problem: should I make it easy to remember or hard to crack? NIST would like some help with the same struggle for balance in setting password policy for agencies.
Karen Scarfone, a computer scientist for the National Institute of Standards and Technology, tells FederalNewsRadio "it's important to set a sound policy that... is providing the right level of security but it's not being overly inconvenient to users."
Scarfone co-authored NIST's "Guide to Enterprise Password Management" which has been issued for public comment.
The focus of the publication isn't so much on what end users can do, it's on what the organization can do, and so we talk a lot in there about policy. It's really important for organizations to think hard about the password policy - the requirements that they're putting on their users.
For example, Scarfone says, you can't just tell people not to use sticky notes stuck to the computer screen to save their passwords.
What we've been trying to do is to help people come to grips with remembering passwords. It used to be that you had maybe one or two passwords to remember, maybe for email and for getting on your computer in the morning, and increasingly we have dozens and dozens of different passwords that we have to remember.
According to NIST, the guide covers defining and implementing password policy, educating users about threats and how they should respond, and measuring the effectiveness of password policies.
NIST is requesting public comment on the draft through May 29, 2009. Comments should be sent by email to firstname.lastname@example.org.
On the Web:
NIST - Guide to Enterprise Password Management (pdf)
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)