Previous PDF

swipe to navigate

This document describes and justifies password management best practices as applied in medium to large organizations. It offers reasoned guidance to IT decision makers when they set security policy and design network infrastructure that includes passwords.

The guidance in this document is focused on how to best manage user passwords. It is not intended to address the special challenges and techniques that arise when managing privileged passwords, used to sign into administrator, service and embedded accounts.

Look for the Hitachi ID Systems Best Practices marks throughout this document to find best practices.

The remainder of this document is organized as follows:

  • Why do we still use passwords? -- explaining why passwords are unlikely to be entirely replaced in the near future.

  • User authentication and passwords: Background information including terminology and an overview of both passwords and other types of credentials.

  • Security threats

    An overview of how password security can be compromised.

  • The human element

    A reminder that human behaviour has to be considered when designing the security of any system, including one for managing passwords.

  • Composing hard-to-guess passwords

    How to estimate password strength and guidance for composing hard-to-compromise passwords.

  • Unicode and other non-Latin passwords

    Password composition for users whose first language is not English, and who may normally use multi-byte text input.

  • Changing and reusing passwords

    Guidance regarding when to change passwords and whether to allow users to choose the same password twice.

  • Keeping passwords secret

    A reminder that passwords are supposed to be secret, and how to help users keep them that way.

  • Intruder detection and lockout

    The role that intruder lockouts have in ensuring password security, and guidelines for a balance between keeping out attackers and not bothering legitimate users.

  • Encrypting passwords in storage and transit

    The need to encrypt passwords, in motion and at rest.

  • Synchronizing passwords

    The pros and cons of using the same password value on multiple systems and applications.

  • Single sign-on

    The pros and cons of replacing multiple login prompts with a single, shared login process.

  • IT support for forgotten and locked out passwords

    How to assist users who forgot or locked out their password.

  • Mobile devices: challenges and opportunity

    Enabling access to the password management system from user phones, dealing with passwords cached by various apps on user devices and leveraging phones to resolve login problems and to increase the strength of authentication processes.

Previous Next PDF