Do you have a best practices document that advises things like PIN and password length/expiration/requirements? I've looked in several documents and have seen it referenced, but cannot find the actual suggestions.
Do you have a best practices document that advises things like PIN and password length/expiration/requirements? I've looked in several documents and have seen it referenced, but cannot find the actual suggestions.
Is the RSA SecurID Software Token Security Best Practices Guide for RSA Authentication Manager 8.x what you are looking for?
Regards,
Erica
I'm looking for information on hardware and software tokens. I finally found some information in the security configuration guide. I'm pasting it below. The only thing remaining is if you all recommend that PIN numbers expire and if so, how often. Thanks!
Your corporate token policy should require the use of 6-character to 8-character PINs. Do not use 4-character numeric PINs. RSA recommends that your PINs require alphanumeric characters (a-z, A-Z, 0-9) when the token type supports them. You must configure Authentication Manager to allow these characters.
Literally, it is this
You should set your policies to be as strong as your users can stand to use, before they revolt and turn against you.
--------------------------------------------------------------------------------------------------
This is from the 8.2 SP1 Security Configuration guide:
Configure Authentication Manager to require users to change their PINs at regular intervals. These
intervals should be no more than 60 days. If you use 4-digit numeric PINs, the intervals should be no
more than every 30 days. For software tokens, the PIN should be equal in length to the tokencode, and
all numeric
--------------------------------------------------------------------------------------------------
This is my take on it overall....
If you are a defense company making fire control systems, all your users are already used to extreme security, so any strict policy will be acceptable. But if your users are not already using extremely secured systems and having to use strong security at every turn, then those people may not accept very strong security polices as easily. So, it is really...make it as strong as possible, but also will 'fit in' so people can go about their business with minimal distractions.
What is your policy according to government and legal requirements ? At least meet any policy you are legally bound by. After that, perhaps set pin change to match up with the same time period other passwords are needed to be changed ? Such as Active Directory password changes ?
Me personally I have worked at a facility where passwords, combination locks, keys, everything 'secured' was changed daily. That was totally fine because of the type of work. But I can't see that being used anywhere but that specific location.
Also note, you can have multiple policies of different strength, and assign those to System sub-domains. Then put subsets of users into those domains. This way some people who access more sensitive areas can be forced to use very strong pins and pin changes rules, whereas other users who do not need to access sensitive systems might have less strong policies.
Literally, it is this
You should set your policies to be as strong as your users can stand to use, before they revolt and turn against you.
--------------------------------------------------------------------------------------------------
This is from the 8.2 SP1 Security Configuration guide:
Configure Authentication Manager to require users to change their PINs at regular intervals. These
intervals should be no more than 60 days. If you use 4-digit numeric PINs, the intervals should be no
more than every 30 days. For software tokens, the PIN should be equal in length to the tokencode, and
all numeric
--------------------------------------------------------------------------------------------------
This is my take on it overall....
If you are a defense company making fire control systems, all your users are already used to extreme security, so any strict policy will be acceptable. But if your users are not already using extremely secured systems and having to use strong security at every turn, then those people may not accept very strong security polices as easily. So, it is really...make it as strong as possible, but also will 'fit in' so people can go about their business with minimal distractions.
What is your policy according to government and legal requirements ? At least meet any policy you are legally bound by. After that, perhaps set pin change to match up with the same time period other passwords are needed to be changed ? Such as Active Directory password changes ?
Me personally I have worked at a facility where passwords, combination locks, keys, everything 'secured' was changed daily. That was totally fine because of the type of work. But I can't see that being used anywhere but that specific location.
Also note, you can have multiple policies of different strength, and assign those to System sub-domains. Then put subsets of users into those domains. This way some people who access more sensitive areas can be forced to use very strong pins and pin changes rules, whereas other users who do not need to access sensitive systems might have less strong policies.