What's Your Password History?

What’s your password history? This is a question many end users are not able to answer causing increased frustration. Of course password history is extremely important as it prevents the user from reusing a password which could have potentially been compromised in the past.

One of the biggest challenges with implementing password history policies is being able to maintain usability while increasing compliance and security. By limiting the user to only using passwords that are new to them each time, the user becomes frustrated every time they are required to reset their password. Unfortunately with limits being enforced, the frustrated user is more likely to write down passwords. If you are thinking of implementing a password history policy it is better to tailor it to your environment and only make it a requirement when it makes sense in relation to the required level of data protection.

Some key things to remember surrounding password history is that it has an inverse relationship to your password expiration policies. So if you are expiring passwords frequently then you would need a higher password history limit. For example, if you expire passwords as frequently as every 30 days you would want a high password history limit, say around 50. This would not allow the reusing of any passwords for 1500 days. It is important to remember what is necessary for the type of data you are trying to protect.

The other concern is how to help your users create passwords and not get frustrated with having to remember brand new ones. Many times a user will create a password and continually use variations of the same password (ex. password, password1, password2, password3, etc.). Something to take into consideration may be the limiting of similar passwords as it may be crucial to your security.

To help users with all of these issues the option you could give them is to use a pass phrase. Instead of a single “X” length of characters you could allow them to login with an entire sentence. This might be easier for some users to remember and therefore reset their pass phrase when needed.

Overall the goal is to decrease user frustrations while still implementing effective password history policies. Make sure to consider what level of data protection is required and what is necessary in terms of the limits you are setting for your end users.

Stronger Passwords Weighing In

One of the pains in an employee’s daily routines is the idea of password management. Especially being able to easily understand what the IT Security Staff means by using a “strong” password. In a recent CNN.com article they stressed the importance of implementing “super passwords” suggesting that passwords should all be a minimum of 12 characters in length. If these types of standards are going to become the norm, due to the varying types of attacks being performed, than the usability of passwords for the user will decrease.

By implementing a simple Password Strength Meter, your employees can easily have visual feedback as to whether or not they are following password policies and avoiding weak passwords. This will also make password strengths easy to enforce for varying levels of required data protection.

With the Password Strength Meter provided by PortalGuard the user has a real time response to their choice of characters for their new password. With each character that is typed in the meter will show the user whether their password is becoming weaker or stronger. The administrators can implement this on every login page or only on those protecting critical data. The idea is that Password Strength Meters are going to aid the user in implementing stronger passwords while maintaining usability.

CNN.com Super Passwords Article