ARCHIVE
ID Number: LE-21-8199



This research is provided for historical perspective;
portions of this document may not reflect current conditions.





Manage Passwords to Secure Your IT Environment
23 December 2003
 
Mark Nicolett  

An effective password management policy is critical to secure your IT environment. Combine password formation and usage best practices with tools that promote attack resiliency to ensure that your systems are protected.






Browse Topics


Other Options







Contact Gartner






Download Document:

PDF
manage_password...pdf (103.8KB)

Help with Downloads




Analysis


The overall security level of an enterprise is the sum of many security foundation elements: strong perimeter defenses, the proper configuration of system resources and effective controls for resource access. Protecting application and data resources requires, among other things, authenticating the people that access those resources. In turn, the integrity of the authentication process depends on uncompromised, secure passwords. IT security directors can manage passwords effectively, and thus better secure the IT environment, by following these best practices.

Establish a password management policy. Develop a single password policy that is implemented consistently across users and systems. Consider potential external and internal threats, as well as user behavior. Communicate the policy to employees and other users, and monitor for compliance (see "Best Practices for Managing Passwords: Overview").

Develop and enforce password formation and usage guidelines. Password formation and usage guidelines are the external representation of the user and system administrator portions of a password management policy. Password formation must achieve a balance between password strength and usability. This will minimize help desk calls and avoid the possibility that users will write down their passwords, thus making them vulnerable to discovery by attackers (see "Best Practices for Managing Passwords: Formation" and "Best Practices in User ID Formation"). Password usage guidelines define acceptable user and system administrator behavior in the areas of password secrecy and integrity throughout the password life cycle (see "Best Practices for Managing Passwords: Usage Guidelines").

Deploy password management technologies and technical safeguards. The operational implementation of a password management policy requires the deployment of technologies that reduce user and administrative burdens, as well as techniques that protect passwords from internal and external attacks. Password synchronization and single sign-on technologies can significantly reduce the password management burden (see "Best Practices for Managing Passwords: Tools"). Self-service password reset technologies can dramatically reduce the volume of help desk calls relating to passwords (see "Best Practices for Managing Passwords: Self-Service Q&A"). Finally, IT security organizations must understand the different internal and external attacks against passwords and users, and implement technical safeguards (see "Best Practices for Managing Passwords: System Security").

IT security organizations that implement these policy and technology best practices will achieve a required foundational element for a secure IT environment: effective and efficient password management.

Mark Nicolett

Vice President, Research Director

securitymember@gartner.com
Return to Top







Browse Topics:
 
Security Policies
Identity and Access Management
Password Management




© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.




Resource Id: 420086