|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
184.108.40.206 Password Management
Policies for changing passwords,
frequency and length, all need to be part of the Acceptable Use Policy.
When doing this, you should make
sure of the users identity before allowing the recovery or change
in password. This is often done by collecting answers to secret
questions like What was your favorite pets name?
at time of original registration, and then asking the user to answer
the question to prove their identity at a later date, if they need help
with their password.
When managing a large user community, it can be a good idea to provide an automated password recovery or password change process in case the user forgets their password.
Some Systems Make More Assumptions Than Others
For example, some systems watch you try to log in with a certain user ID (which is not necessarily the users email address), then, if youre unsuccessful, they offer to email (in clear text ARGH!) your password to your email address on record. Author Helens user ID on a private Microsoft partner site was Helen; since she was one of the first to register it allowed her the user ID of her first name. From a time shortly after that, until the time that the system was decommissioned, shed periodically get notes from Microsoft telling her what her password was and awkwardly splattering a favorite password convention across the net and all over disks, in clear text. These werent being generated automatically rather, other users who THOUGHT their user ID on the system was Helen, were clicking the sites I cant login -- remind me of my password link, and the system was dutifully looking up Helens email address and sending that helpful email to the owner of the Helen user ID, me. (If you implement a password recovery system, please dont email the existing password in clear text. Ideally send the user to a link that lets them set a new password; second best is to email them a new password. You just dont know the true sensitivity of the information youre giving out, when you email someones password in cleartext.)
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.