Fulford Consulting Ltd.

APP Flare support & training.

0793 572 8612.

Flare help pages.

Setting APP Flare passwords.

Contents

Overview

All organisations have a duty to ensure that the data it holds may only be accessed by properly authorised persons.

Different privileges to read, edit or delete data are assigned in the Flare system to user identities, When a user logs on to the Flare system they are required to demonstrate that they are indeed the authorised user by entering a password. This process is called "authentication".

Simple user id/password combinations are a relatively weak way of authenticating a person to a computer system. It is often very easy to guess both a user id and a password. Where this guessing is assisted by a computer system, thousands of combinations may be tried in seconds.

Users can help strengthen the authentication process by choosing "strong" passwords which are difficult to guess.

The rules

Passwords must

  • be at least 6 characters in length
  • be changed at least every 90 days
  • never be shared
  • never be written down (unless stored securely)

Choosing strong passwords

A strong password is one which is difficult to guess either by employing a computer program or by human intuition.

Examples of weak passwords are the users name, birth date, child's name, favourite colour, flower, football team etc. This sort of password may be easily guessed by others unaided by technology. Unfortunately any word which may be found in the dictionary is also a weak password. A computer programme can try all the words in a set of dictionaries with and without numbers appended or prepended in a couple of hours.

Strong passwords use a combination of digits and letters which cannot be found in a dictionary and which have no particular connection with the user. The strongest passwords are randomly generated, but these are often difficult to remember.

Try to use letter and number combinations which pronounceable and phonetically coherent. Mix upper and lower case when using letters. "icUryy4me" looks difficult to remember, but it can be pronounced as "I see you are too wise for me". This particular password is known to the security/hacking community but is still relatively hard to crack due to the number of variations that can be applied without loosing the phonetic sense of the phrase.

Give yourself time to think of a good password and learn it. Once chosen avoid writing it down anywhere.

Never divulge your password to colleagues or to technical support. One of the simplest methods of cracking systems is to call the user and ask for their password. This kind of attack is known as social engineering. Be warned. If someone asks for your password they are likely to be impostors, incompetent or security auditors carrying out a vulnerability assessment.

Changing your password in Flare.

Passwords may be changed in Flare by selecting "Options" from the Flare desktop, and then "Change Password" from the "Options" pick list. Users will then be presented with a dialogue box into which they must enter their current ("Old") password, and their new password. The new password must be entered twice to help avoid problems with miskeying.

Conformance with BS7799 & the Data Protection Act.

Conformity to BS7799 requires that passwords have a minimum length of 6 characters and are

  • kept confidential
  • not written down (unless the record is stored securely)
  • changed at regular intervals
  • not based on anything that can be guessed or obtained from other sources
  • not shared

The DPA requires that data is properly protected from unauthorised access.

C W Fulford
11th November 2004


The layout and associated style sheets for this page are taken from the World Wide Web Consortium and used here under the W3C software licence.