Password change policy

From Clinfowiki
Jump to: navigation, search

Password Change Policy is a set of procedures or regulations established by an organization or administrators in relation to how passwords are changed.[1]

Password change policies address concerns related to:

Password Expirations

This protects against password compromise when a password database is hacked. Passwords are usually stored as a hash, which requires attackers a considerable amount of time to guess or crack. Password expirations are set to the estimated amount of time it would take attackers to crack the password, which is usually 60 days or less, depending on the attackers’ hardware resources. Because of this, password expirations are not noted to be very effective in maintaining password security. Password expirations are usually set every 90 days. Users are commonly notified of a password change within 14 days of password expiration.


Password Lockouts

This rule establishes the number of times a user can enter the incorrect password before the account is locked. Lockout features can either have a fixed or exponentially increasing delay intervals for password reentry, i.e. after the first log-in failure, the user has to wait 5 seconds before being allowed a second attempt, a second log-in failure would require a 10-second wait, a third log-in failure would require a 15-second wait, until a full lockout is enforced.


Password Recovery or Password Resets

When users forget their passwords or get locked out of their accounts, administrators have the option of providing password recovery - giving the users access to their current password, or password reset - allowing users to set up a new password. Password recovery or resets can be conducted through:

  • Face-to-face visit with IT staff
  • Calling the password help-desk
  • Automated password reset through verification methods i.e. password hints, security questions, provision of email address to obtain password or a link to reset password


Password Strength

This refers to the complexity of a password:

  • mixed-case
  • alphanumeric
  • disallowing the use of the user’s name, birthdate, username, employee ID, repeating characters, or the last 3 passwords used as a password.

These rules are necessary to reduce password compromise, but consideration to the user burden of remembering passwords should always be examined.[1]


References

  1. 1.0 1.1 Scarfone, K., & Souppaya, M. (2009). Guide to enterprise password management (draft). National Institute of Standards and Technology Special Publication, 800, 118.