Credential Policy replacing Password Policy
Have we evolved enough in the security industry to stop calling the password policy the password policy? After all, what we usually mean is the policy to manage authentication, using passwords, tokens, smart cards, certificates, etc.
I’m looking forward to seeing “Credential Policy” statements like “Don’t share your tokens” and “Don’t wash your converged physical logical access card in the laundry.”
Advertisement
Categories: InfoSec
Good point, Steve.
Can we also stop calling physical access credentials badges? This legacy term from the guarding world where you get access based on something you look at promotes a security vulnerability attacked via Photoshop and a color printer.
You hit the nail when you focus on authentication whether it be logical or physical access, fob, smart card or cell phone. More and more authentication policy will require strong authentication using digital certificates, multiple factors and if done properly the same approach can be used all the time, anywhere and as multiple studies have shown, reduce significantly the help desk costs associated with username and password support.
Frankly I prefer the word token as the meta category (any dictionary will back this up) as something given or shown to establish trust. You have an identity token that you authenticate with and then your network, database, web site and facilities administrators manage the authorization for access to their assets.
Username and passwords will not disappear but they are simply a low assurance token for logical access that clearly have begun their sunset.
Great, Sal. Token works so well because it encompasses physical tokens that you touch or carry, as well as virtual tokens like passwords and digital certificates.