Thursday, July 19, 2007

Information Security Policy 101 – Password Policy

Part 11 in the Information Security Policy 101 Series

Passwords get a bad rap. Nobody likes them, users, administrators, and information security personnel alike. Users don’t like passwords because us “information security police” make them so complex and hard to remember, administrators don’t like them because they have so many that they have to remember, and information security personnel don’t like them because they are arguably the most insecure means of authentication.

All the more reason and justification for a Password Policy.

A Password Policy should be required in all organizations that rely on passwords as a source of authentication.

Let’s get to it.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of %ORGANIZATION% user authentication mechanisms.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Password Policy aptly applies to any person or entity uses a password.

The %ORGANIZATION% Password Policy applies equally to all individuals who use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Password Policy
The Password Policy should communicate the general rules for password creation, use, storage, transmission and destruction (the “lifecycle”). Most likely the policy will state many general security “best practices” of password management along with some home grown statements based on the business assessment.

NOTE: People will inevitably break some rules in password policy. It is proven that the number and severity of incidents can be reduced by training and awareness. Give users a better way to do things rather than telling them what they cannot do.


- Password history must be kept to prevent the reuse of passwords
- Stored passwords are classified as Confidential Data and must be encrypted

A Password Policy is not just an efficient method of communicating good password management practices, but it is also an implement for enforcement. A well-written and implemented Password Policy can significantly reduce the amount of risk to the organization’s information.


Next in the series: “Information Security Policy 101 – Physical Security Policy”

Previous: “Information Security Policy 101 – “Network Access Policy”

1 comment:

Steve Asbury said...

Your policy states that passwords must be changed routinely, yet elsewhere on this site there are those decrying the use of the "Post-It Password Methodology". It is policies such as these which force the poor user, who is just trying to get her job done, to resort to such practices. Passwords need not be changed regularly unless they are compromised, or the system provides the attacker access to the password cipherfile.

Systems which force regular password changes simply encourage users to use weak passwords, or write them down.