Why not just use biometrics? A good fingerprint reader doesn't really cost all that much. No passwords to forget - ever.
User understanding cant be over looked.
I have found with my experience in passwords is users attitudes are the key to the effectiveness of a password policy. The actual rules of the password arent as important (they still form a part as we dont want everyone using cola1 or the common january1, feburary2 etc to bypass the "must have a number in the password and it changes every 30 days".
When implementing your policy it is important that the importance of passwords be put across to your users. Some of the key messages we use is: Treat your password like your pin number on your bank card (this links the concept of a password with something they do in their personal lives "hey your right thats my money I dont want people looking at that I need to keep my pin a secret"
Passwords are your electronic identity, anything happening under your password is you, just in the same way a bank doesnt care if you have given your pin number to someone or wrote it on your card and then somebody takes the card and withdraws your money, the bank will say well thats not our issue, that must have been you. The company should treat this as a if someone sends an innapropriatte email or performs innapropriatte activity activity under your password then the company will treat that as you (this can be seen as a bit of fear tactics but it is putting ownership back onto the users. Make managers responsible for there staff, dont have the local book where everyone lists their password,or post it notes all over the place with passwords. By making management responsible this helps enforse behaviours.
Encourage the concept of passwords being not just a single word but a simple phrase. The average user thinks I have to think of one word and add a number, but if you get them to do simple phrases, it adds to the complexity of the password and can make it easy to remember e.g. a password of "my2children" is harder to guess then "Tommy" assuming that someone knows that the user has a child called tommy. The concept of password phrases is foreign to most and some passwords have limits to the number of characters, this is where you can get people to use the first letter of a phrase e.g. "My two kids eat dinner" could be a password of M2KED which is hard to remember if people thought I have to have a odd password, but as a user if they think oh its a phrase then it is easy to make sense. Most companies dont invest time in educating users on passwords and how to come up with an effective password or why it is important, we simply expect users to follow the rules and that should be enough, yet this is the base security 101 that should be invested by a company, change the culture and they will follow it without relying on the rules to manadate it (not that I would never have rules, but it is more important to get the culture right then the rules.
Well thats my opinion Scott Henderson Australia
08:28, 13 May 2005 (MDT)
First of all, remember the old trade-off between user convenience and security. Typically the stronger the password, the less convenience to the user. So the user will modify their habits to make things convenient. For example, writing down their password and stick in under the keyboard.
Next, if you are trying to come up with a solid password management policy, get buy-in from senior managers first and then let the politics of the password pilyc flow down from the top. The 8th layer of the OSI model. If management doesn't support you, it's not going to do any good trying to enforce policy without a hammer behind the fist.
As far as challenge questions go, the question set should be simple but yet not something that other users know about the person - when the questions are presented as a set. For example, I would consider using this set:
What is your favourite colour? (People's hair colour changes - don't use)
What is your mother's maiden name?
What are the last 4 digits of your social security number?
This would be a solid challenge set for regular users who do not have sweeping access to directory/file systems. I would use a different set of challenge questions for network administrators and keep that under wraps just to deter social engineering.
Lastly, if you are creating a security/password policy from scratch, start with tight security and loosen later (rather than loose security and tighten later). Users scream when you take away something, but when you give them something they don't have they are your best friend.
--Mgoddard 11:51, 17 May 2005 (MDT)