1、Lessons Learned Entry: 0972Lesson Info:a71 Lesson Number: 0972a71 Lesson Date: 2001-07-26a71 Submitting Organization: HQa71 Submitted by: Wilson HarkinsSubject: User IDs and Passwords Description of Driving Event: In the 1995-1996 timeframe the Office of Safety and Mission Assurance (OSMA) began dev
2、elopment of a distance learning capability under the umbrella of the Professional Development Initiative (PDI). This distance learning capability eventually evolved from a Safety and Mission Assurance discipline system into the Site for Online Learning and Resources (SOLAR) (http:/solar.msfc.nasa.go
3、v), currently one of NASAs primary distance learning resources. The intent of the initial development effort was to design and implement a prototype system for the Safety and Mission Assurance discipline. Since the system was web-based part of the design considerations involved system security, spec
4、ifically the use of User IDs and Passwords. The system was going to maintain user sensitive course completion data (completion records and testing scores) so establishing a User ID and Password to generate and access that information became a requirement. In addition, some course materials were goin
5、g to contain licensed material and finally we wanted to limit access to the courses to the NASA community to ensure availability of courses to our users. To accomplish this the User ID and Password were also required to access course materials. SOLAR was configured to maintain its own User ID and Pa
6、ssword protocols and files. The decision to develop a unique User ID and Password system was based on two assumptions. The first assumption was that requiring users to remember another User ID and Password would not be a burden and second that development of a unique capability would be easier than
7、integrating the system into the various security systems resident at the NASA Centers.As use of the SOLAR system grew and some disciplines initiated mandatory training, by far the largest demand for user support involved re-establishing out-of-date or forgotten passwords. This represented a signific
8、ant expenditure of resources to maintain the user support primarily to reset passwords. An additional system capability was added to automate password revalidation, this capability did reduce the demand for manual update. This did not solve the frustrations of users who had to remember another User
9、ID/Password combination or were delayed even momentarily from taking training which they had allotted time to complete often with a looming deadline for Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-completion.Lesson(s) Learned: 1. Proliferation of
10、 User IDs and Passwords can frustrate system users, particularly if the User ID and Password combination is not used on a regular basis.2. For systems with infrequent access, a large amount of resources may be required to provide the capability to reset User IDs and Passwords.Recommendation(s): 1. C
11、onsider carefully the decision to adopt a unique User ID and Password authentication method. Consider instead using or piggybacking on another systems authentication system so that users have a single User ID and Password to access multiple capabilities.2. If a unique User ID and Password authentica
12、tion system is adopted, ensure that sufficient user support is provided to quickly respond to user requests for Password resets.Evidence of Recurrence Control Effectiveness: N/ADocuments Related to Lesson: N/AMission Directorate(s): N/AAdditional Key Phrase(s): a71 Information Technology/Systemsa71
13、Policy & Planninga71 Training EquipmentAdditional Info: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Approval Info: a71 Approval Date: 2001-07-30a71 Approval Name: Eric Raynora71 Approval Organization: QSa71 Approval Phone Number: 202-358-4738Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
