Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)
      9  5.4  Policy and Procedures
           9  5.4.1  Security Policy

Previous Topic/Section  Need to Know
Previous Page
Pages in Current Topic/Section
Next Page  SLAs (Service Level Agreements)
Next Topic/Section  Password Management

Policies for changing passwords, frequency and length, all need to be part of the Acceptable Use Policy.

When doing this, you should make sure of the user’s identity before allowing the recovery or change in password. This is often done by collecting answers to “secret questions” like “What was your favorite pet’s name?” at time of original registration, and then asking the user to answer the question to prove their identity at a later date, if they need help with their password.

Large Sites

When managing a large user community, it can be a good idea to provide an automated password recovery or password change process in case the user forgets their password.

[spacer]Some Systems Make More Assumptions Than Others

For example, some systems watch you try to log in with a certain user ID (which is not necessarily the user’s email address), then, if you’re unsuccessful, they offer to email (in clear text – ARGH!) your password to your email address on record. Author Helen’s user ID on a private Microsoft partner site was “Helen”; since she was one of the first to register it allowed her the user ID of her first name. From a time shortly after that, until the time that the system was decommissioned, she’d periodically get notes from Microsoft telling her what her password was – and awkwardly splattering a favorite password convention across the net and all over disks, in clear text. These weren’t being generated automatically – rather, other users who THOUGHT their user ID on the system was “Helen”, were clicking the site’s “I can’t login -- remind me of my password” link, and the system was dutifully looking up “Helen’s” email address and sending that “helpful” email to the owner of the “Helen” user ID, me. (If you implement a password recovery system, please don’t email the existing password in clear text. Ideally send the user to a link that lets them set a new password; second best is to email them a new password. You just don’t know the true sensitivity of the information you’re giving out, when you email someone’s password in cleartext.)

Previous Topic/Section  Need to Know
Previous Page
Pages in Current Topic/Section
Next Page  SLAs (Service Level Agreements)
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.