Password management

Password management is the process of defining, implementing, and maintaining password policies throughout an enterprise. Effective password management reduces the risk of compromise of password based authentication systems to the extent possible. Organizations need to protect the confidentiality, integrity, and availability of passwords so that all authorized users—and no unauthorized users—can use passwords successfully as needed. Integrity and availability should be ensured by typical data security controls, such as using access control lists to prevent attackers from overwriting passwords and having secured backups of password files. Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves.



Password management software is a utility that allows a user to store usernames, passwords, and other small pieces of sensitive information, such as account numbers. Password management software can greatly reduce the number of passwords that users have to remember. The password management software itself has a master password that a user must enter to gain access to the passwords stored by the software. The master password protects the stored passwords from being accessed by someone else and is the only password that the user needs to remember. Some password management software utilities permit users to store the passwords on removable media (e.g., USB flash drive) instead of the local computer; this provides an additional layer of protection if the media is only inserted into the computer when needed and stored separately and securely otherwise.



With most password management software utilities, the user selects an account from a list, which causes the corresponding password to be copied. The user then pastes the password into the password field for the target application or web form. Some utilities further automate this process by automatically pasting the corresponding password in the appropriate application or web form’s password field.



The following items are general recommendations for using password management software:

Set the software’s timeout feature so that access to the passwords will be automatically locked after an idle period, such as five minutes.

Clear the buffer after the password is copied and pasted (many password management software programs do this automatically).

Back up the password database periodically, especially after a password is changed. If the computer’s copy of the password database becomes corrupted or something adverse happens to the computer, the user can get the passwords from the backup copy of the password database.

Use a strong master password that is not easily guessable or crackable, or an alternate form of authentication that is stronger than a password.

Password management software should protect the confidentiality of stored passwords using FIPS approved algorithms and implementations.