You are the IT security administrator for an organisation with about 100 users. The users all have office computers (PCs or laptops), but also use other computers for work (such as shared computers, and personal mobile devices). For example, a typical user may use a Windows PC in their office, occasionally use a Windows PC or Mac in a shared space or lab, and regularly use their own Android or iOS phone for work purposes. There is a mix of operating systems on computers and mobile devices.
You are tasked with educating users on passwords, and recommending password management solutions to the organisation. You are considering two options for password management.
Option 1. Educate users to manage their own passwords, while using some technical controls. This option involves recommending policies to management, providing user training, and applying password management rules in various systems (e.g. when passwords are created). Most users will not use password management software in this option.
Option 2. Enforce password management software for all users. This option requires all users to use a single password management application (e.g. LastPass, KeePass, or `wallet’ software).
First considering Option 1, answer the following sub-questions.
(a)You are planning the user training session. You have already explained to users about password lengths and character sets (e.g. minimum recommended length, types of characters to include). List three (3) other recommendations that you think are the most important for users to be aware of with regards to password usage and management. For each recommendation, explain it in detail (that is, what would you tell users), and give one advantage and one disadvantage of the recommendation. For example:
“Recommendation 1. You should do … . The advantage of doing this is … . But the disadvantage of doing this is … .”. (Note you cannot use the password length and character set as a recommendation – you must choose other recommendations) [3 marks]
(b)You are designing the technical controls on the password checking system when users register or select a new password. One rule that you have decided to implement is that a password must be at least 8 characters. List three (3) other rules that you think are the most important to be implemented. For each rule, clearly specify the exact conditions, and give one advantage and one disadvantage of the rule. For example: “Rule 1. A password must be at least 8 characters long. The advantage of this rule is … . The disadvantage of this rule is … .”. (Note you cannot use the password length as a rule – you must choose 3 other rules. Also, although you may consider character set as a rule, it can only count as one rule). [3 marks]
Now considering Option 2, answer the following sub-questions.
(c)Write a short summary of what password management software is, and how it works. This summary is intended for management and users to understand. [2 marks]