Password management is changing up and down the chain

By Suzanne Kubota
Senior Internet Editor

When choosing a password, we’re all faced with the same problem: should I make it easy to remember or hard to crack? NIST would like some help with the same struggle for balance in setting password policy for agencies.

Karen Scarfone, a computer scientist for the National Institute of Standards and Technology, tells FederalNewsRadio “it’s important to set a sound policy that… is providing the right level of security but it’s not being overly inconvenient to users.”

Scarfone co-authored NIST’s “Guide to Enterprise Password Management” which has been issued for public comment.


The focus of the publication isn’t so much on what end users can do, it’s on what the organization can do, and so we talk a lot in there about policy. It’s really important for organizations to think hard about the password policy – the requirements that they’re putting on their users.

For example, Scarfone says, you can’t just tell people not to use sticky notes stuck to the computer screen to save their passwords.

What we’ve been trying to do is to help people come to grips with remembering passwords. It used to be that you had maybe one or two passwords to remember, maybe for email and for getting on your computer in the morning, and increasingly we have dozens and dozens of different passwords that we have to remember.

According to NIST, the guide covers defining and implementing password policy, educating users about threats and how they should respond, and measuring the effectiveness of password policies.

NIST is requesting public comment on the draft through May 29, 2009. Comments should be sent by email to

On the Web:

NIST – Guide to Enterprise Password Management (pdf)

(Copyright 2009 by All Rights Reserved.)