Passwords and Password Policies

Although biometrics and smartcards are becoming more common, they still have a very long way to go before they attain the level of popularity that username and password combinations enjoy. Apart from the fact that usernames and passwords do not require any additional equipment, which practically every other method of authentication does, the username and password process is familiar to users, easy to implement, and relatively secure. For that reason, they are worthy of more detailed coverage than the other authentication systems already discussed.

Passwords are a relatively simple form of authentication in that only a string of characters can be used to authenticate the user. However, how the string of characters is used and which policies you can put in place to govern them make usernames and passwords an excellent form of authentication.

Password Policies

All popular network operating systems include password policy systems that allow the network administrator to control how passwords are used on the system. The exact capabilities vary between network operating systems. However, generally they allow the following:

  • Minimum length of password Shorter passwords are easier to guess than longer ones. Setting a minimum password length does not prevent a user from creating a longer password than the minimum, although each network operating system has a limit on how long a password can be.

  • Password expiration Also known as the maximum password age, password expiration defines how long the user can use the same password before having to change it. A general practice is that a password is changed every month or every 30 days. In high-security environments, you might want to make this value shorter, but you should generally not make it any longer. Having passwords expire periodically is an important feature because it means that if a password is compromised, the unauthorized user will not have access indefinitely.

  • Prevention of password reuse Although a system might be able to cause a password to expire and prompt the user to change it, many users are tempted to simply use the same password again. A process by which the system remembers the last, say, 10 passwords is most secure because it forces the user to create completely new passwords. This feature is sometimes called enforcing password history.

  • Prevention of easy-to-guess passwords Some systems have the capability to evaluate the password provided by a user to determine whether it meets a required level of complexity. This prevents users from having passwords such as password or 12345678.