1.3 PASSWORD PROTECTION

Password protection is probably the most difficult security measure to enforce. It seems that no matter how many password restrictions we impose, the user community can find ways to undermine them. Users will try everything from writing down passwords to selecting one password, adding a number to the end and incrementing that number each time they are required to change their password. As security administrators there are some things we can do to help users understand the importance of password protection.

Security Awareness Programs “ Having a security awareness program will help users understand why we need security, and the implications of poor security management.
Balancing Password Length and Expiration “ Some companies require that the user change their password every month and have a 14-character password, while other companies require a five-character password while never requiring the user to change it. The first option is acceptable to the security professional, while the second option is usually what the user would like. If you want your users to practice good password management principles, you need to strike a balance between password length and expiration. In order to have the users remember a longer password, the expiration period may be extended. On the other hand, if the policy allows shorter passwords, more frequent password changes should be required.