Password Standards Can Improve Agency Workflows AndCarrier Security Our industry has the opportunity tocreate a “win-win” solution to the current dilemma of agencypasswords.

First, lets define the problem. Agents have become increasinglyfrustrated with real-time carrier interfaces for two reasons: eachcarrier Web site visit requires a login and has instituteddifferent requirements for passwords.

At the same time, protection of carrier agency systems anddatabases from entry by unauthorized users is vital and requiresthe use of effective password procedures. Agents and brokersunderstand the importance of strong security, because theirpolicyholder datatheir expirationsprovide the very foundation forthe value of their businesses and must not be compromised.

To this point, carrier security personnel have developed theirpassword requirements independently, so it is not surprising thatpassword lengths, composition and procedures vary from company tocompany. It is also fair to say that most of these passwordrequirements were developed with systems protection–not ease ofuse–as the top priority.

Agents and brokers, however, have to work with multiplecompaniesand their wide variety of different password formats andprocedures. So what do many agents and brokers do to keep track ofeverything? They keep written lists of their various passwords, apractice that has the potential to compromise security at theagency level. Additionally, agent frustration with the currentpassword situation makes real-time carrier interfaces lessattractive.

The good news is that we have a golden opportunity to develop asolution to this dilemma. This solution will take time and effortto implement fully, but it will further improve agency workflow anddecrease the level of frustration agents and brokers experiencewhen working on their carriers systems.

In an important effort to address the password dilemma, theAgents Council for Technology (ACT) established a Password WorkGroup. The Group developed, and ACT subsequently approved,recommended guidelines for password formats and agency passwordmanagement. These guidelines include:

Password Expiration. The expiration ofpasswords should be set to no shorter than 90 days. Agencyemployees would need to change their passwords at least every 90days, otherwise the password would expire. The software shouldprovide users with warnings that give them lead-time to change thepasswords.

Password History. Password history will beenforced for five iterations. When agency employees change theirpasswords, the system will not permit the use of the same passwordagain until the sixth iteration, but it would permit the use of aderivative password, as long as some change has been made. Forexample, a permissible change would include a change from CmS321 toCmS322.

Password Length. Valid passwords must includeat least six characters and permit a maximum of eight characters.This range is sufficiently long to make “password cracking”difficult, but sufficiently short for easy entry.

Password Composition. Every password must haveat least one lower case letter, one upper case letter and onenumber. Special characters (non-alphabetic and non-numeric) may notbe used. The password cannot be the same as the ID and cannotrepeat the same number or letter (whether upper case or lower case)more than two times consecutively. For systems that do notrecognize upper and lower case, all characters should be treated asupper case.

Agencies should also implement a password management process atthe agency level and require adherence by all agency employees.Once the guidelines are implemented, agency management should makesure that lists of passwords are eliminated wherever possible.

If passwords need to be written down, they should be maintainedin a secure manner. Agency management should establish clearguidelines for the individual who will advise carriers of employeechanges so that systems access is terminated as necessary.

Assuming carriers implement these guidelines, agencies shouldbring the expiration dates for all employee passwords to a commonset of dates. Passwords can be between six and eight characterslong. They should contain three different types of charactersincluding upper case, lower case and numeric.

The passwords should not be the same as the ID and should notrepeat the same number or letter (whether upper case or lower case)more than two times consecutively. Using complex composition (mixedcase and numbers) greatly improves the security of passwords byreducing the possibility of “password guessing” by unauthorizedparties.

While a long-term solution will take time to implement, we urgecarriers and agencies to implement these guidelines now, becausethey would result in a considerable improvement in agent-carrierworkflows over the intermediate term.

The guidelines would enable agency employees to use consistentpasswords for multiple companies and would eliminate the need tokeep lists at the agency level, thereby improving security. I wouldalso note that because the guidelines only address passwords,current user IDs would not be impacted.

Ultimately, agents would like to see real-time interfacesolutions with their companies. With such a system, the agencyelectronically stores the necessary passwords in an encryptedfashion, then the agency and carrier handle the identityverification process automatically. This would occurmachine-to-machine when the agent initiates a transaction with thecarrier from his or her system. Carriers and vendors are alreadydeveloping and implementing links and interface technologies thatbegin to handle passwords in this manner.

For the industry to take full advantage of this importantopportunity to improve agent-carrier real-time interfaces, we needACORD to develop a standard that specifies how carriers and agencymanagement systems can work together to implement identitymanagement. Several carriers and management system vendors, alongwith ACT, have approached ACORD to develop such a standard.

Our industry has an important opportunity to improve agencyefficiency and strengthen agency security. I urge the industry totake the steps that will accomplish this: implement the ACTguidelines for password formats and promote an agency-levelpassword management process, while working toward standards andimplementations that facilitate automatic password handling betweenagency and carrier systems.

Alvito Vaz, director of agent Internet systems, withProgressive, is Chairman of ACTs Password Work Group and a memberof ACORDs Joint Architecture Group. This article reflects theopinions of the author and should not be construed as an officialstatement of ACT.

Reproduced from National Underwriter Edition, June 9, 2003.Copyright 2003 by The National Underwriter Company in the serialpublication. All rights reserved. Copyright in this article as anindependent work may be held by the author.