Adventures in implementing a strong password policy

Password authentication is high in the list of potential security vulnerabilities. In the October 2001 SANS/FBI Top 20 list [10], absent or inadequate passwords placed second. The revised SANS Top 20 list, first appearing in October 2002 [11], moved password vulnerabilities down to seventh place but they were still a major potential systems risk. This case study relates our experiences in strengthening our password policy. Passwords turned out to be only a starting point. We effectively strengthened our overall policy but we also learned that sometimes strong password policies and practices combining with human factors can interfere not just with convenience, but with actual usability and needed access. This paper explores the issues we had to negotiate in strengthening our passwords, some of the of the special situations which had to be handled as exceptions to the policy, and our planned future directions.