Steps that may be taken to ensure security of a password system:
1. Passwords should be changed regularly so that users who have already obtained a password illegally can be denied continued access to system resources. The network operating system could be configured by the systems administrator to implement this policy.
2. The system should be configured by the systems administrator to reject previous passwords that were changed. This measure would deny access to users who had illegally obtained a password.
3. Logon Ids not used after a number of days should be deactivated to prevent possible misuse.
4. The system should automatically disconnect a logon session if no activity has occurred for a period of time (e.g. one hour). This reduces the risk of misuse of an active logon session left un-attended because the user went to lunch, left home, went to a meeting or otherwise forgot to logoff. This policy is referred to as ‗time out‘.
5. Password databases on servers or workstations should be encrypted using one-way encryption. This mode of encryption makes the passwords irreversibly scrambled thus preventing intruders from decoding them.
6. Duress passwords.
These are passwords which are issued to staff so that in the event they are kidnapped and forced to reveal a password to grant access to the system an alarm is raised to indicate to the organization‘s security section that entry is being made under duress.
7. System generated passwords
Here, the system has a routine, which generates passwords and notifies users of each new word through a secure mailing system. If a password has been changed, the system may be programmed to accept a use of the old password but to notify security, who can then monitor entry and, if on the premises, apprehend the offender.