This document describes and justifies password management best practices as applied in medium to large organizations. It offers reasoned guidance to IT decision makers when they set security policy and design network infrastructure that includes passwords.
The guidance in this document is focused on how to best manage user passwords. It is not intended to address the special challenges and techniques that arise when managing privileged passwords, used to sign into administrator, service and embedded accounts.
Look for the marks throughout this document to find best practices.
The remainder of this document is organized as follows:
An overview of how password security can be compromised.
A reminder that human behaviour has to be considered when designing the security of any system, including one for managing passwords.
How to estimate password strength and guidance for composing hard-to-compromise passwords.
Password composition for users whose first language is not English, and who may normally use multi-byte text input.
Guidance regarding when to change passwords and whether to allow users to choose the same password twice.
A reminder that passwords are supposed to be secret, and how to help users keep them that way.
The role that intruder lockouts have in ensuring password security, and guidelines for a balance between keeping out attackers and not bothering legitimate users.
The need to encrypt passwords, in motion and at rest.
The pros and cons of using the same password value on multiple systems and applications.
The pros and cons of replacing multiple login prompts with a single, shared login process.
How to assist users who forgot or locked out their password.
Enabling access to the password management system from user phones, dealing with passwords cached by various apps on user devices and leveraging phones to resolve login problems and to increase the strength of authentication processes.
The end of passwords has been predicted for decades. Biometrics, smart cards, one time password tokens and more have been offered up as alternatives and many of these are gaining market share.
In reality, passwords are likely to remain popular for a long time:
Only when most applications can externalize their login process will organizations be able to seriously contemplate the end of passwords.