Home > InfoSec > Credential Policy replacing Password Policy

Credential Policy replacing Password Policy

Have we evolved enough in the security industry to stop calling the password policy the password policy? After all, what we usually mean is the policy to manage authentication, using passwords, tokens, smart cards, certificates, etc.

I’m looking forward to seeing “Credential Policy” statements like “Don’t share your tokens” and “Don’t wash your converged physical logical access card in the laundry.”

Categories: InfoSec
  1. March 1, 2008 at 2:04 pm

    Good point, Steve.
    Can we also stop calling physical access credentials badges? This legacy term from the guarding world where you get access based on something you look at promotes a security vulnerability attacked via Photoshop and a color printer.
    You hit the nail when you focus on authentication whether it be logical or physical access, fob, smart card or cell phone. More and more authentication policy will require strong authentication using digital certificates, multiple factors and if done properly the same approach can be used all the time, anywhere and as multiple studies have shown, reduce significantly the help desk costs associated with username and password support.
    Frankly I prefer the word token as the meta category (any dictionary will back this up) as something given or shown to establish trust. You have an identity token that you authenticate with and then your network, database, web site and facilities administrators manage the authorization for access to their assets.
    Username and passwords will not disappear but they are simply a low assurance token for logical access that clearly have begun their sunset.

  2. March 3, 2008 at 8:05 am

    Great, Sal. Token works so well because it encompasses physical tokens that you touch or carry, as well as virtual tokens like passwords and digital certificates.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: