About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

137402 1 (1988-09-01)

handle is hein.gao/gaobacwbf0001 and id is 1 raw text is: INSIDE: 75-01-75 Password Composition, Length, Lifetime, Source, Ownership, Distribution, Storage, Entry, Transmission, Authentication Period Auditing Password Usage Dennis K. Branstad Frederick Gallegos PAYOFF IDEA. Passwords are often used to authenticate a system user's identity and to grant or deny access to data. The National Bureau of Standards' recently pub- lished Password Usage Standard outlines effective pass- word implementation and control rules. Using this stan- dard as a guide, the EDP auditor can assess the adequacy of password controls and can audit conformance to pass- word usage rules. PROBLEMS ADDRESSED Although access is the most widely used and easily implemented method of personal authentication, a password-protected system can be penetrated accidentally or intentionally-when the password system is poorly imple- mented. When written down, recorded, or displayed during input, passwords can be found out easily by one or more unauthorized users. Once a password is broken, it provides access for as long as it is valid. Careless password control (e.g., users lending their passwords, using familiar and obvious passwords, or reusing passwords) is common and sometimes difficult to regulate. The EDP auditor assessing conformance to and adequacy of password usage rules must be familiar with such password use guidelines as the federal Password Usage Standard (Federal Information Processing Standard 112) and must know the best methods for auditing adherence to rules for password usage. When auditing password usage, the EDP auditor must identify both management and user functions that can be implemented to satisfy the information systems and user environments. For example, What technical features can be implemented to support a password system? Some of the requirements can be satisfied by either user management or technical features. In such a system, if the security administrator specifies that each personal password must be changed at least every six months, user man- Auerbach Publishers EDP Auditing @ 1988 Warren, Gorham & Lamont, Inc. s-10

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most