ACT Urges Companies, Vendors to Adopt New Password Formatting Guidelines

October 17, 2002

New recommended guidelines for company and vendor password formatting have been approved by the Agents for Council Technology (ACT) to enhance security and alleviate current inefficiencies for independent agents and brokers across the country.

The password guidelines are the product of ACT’s Multiple Passwords Work Group formed to address the difficulties independent agents and brokers currently are facing with the multitude of different Web passwords and password formats they must employ to access their companies. If adopted by the industry, the guidelines reportedly will enable agency employees to use a common password for several company and vendor systems. ACT is affiliated with the Independent Insurance Agents & Brokers of America (IIABA).

“ACT urges companies and vendors to incorporate these guidelines into their password protocols and make their Web sites more user friendly for the independent agents accessing them,” Alvito Vaz, chairman of the work group and information technology director at Progressive Insurance, said. “The guidelines also will encourage improved security at the agency level because agents will be able to use a consistent password for several companies and be less inclined to maintain unprotected lists of passwords.”

When the work group initially surveyed ACT company and vendor members, it found that current password requirements and procedures vary widely, virtually forcing agency employees to keep scorecards containing all of the necessary information. Security at the agency level will reportedly be greatly improved if companies and vendors follow guidelines permitting agency employees to use consistent passwords with their various business partners. Agencies also need to be provided the flexibility to make required changes in these passwords.

“Ultimately, agents would like to see company passwords handled automatically in the background by their management systems,” ACT Executive Director Jeff Yates commented. “But in the current environment, widespread adoption of ACT’s recommended password guidelines would be a big step forward. We urge agents to encourage their companies and vendors to adopt the guidelines to make Web site access much easier for hundreds of thousands of agency employees.”

ACT recommends that companies and vendors incorporate the following guidelines into their password formats:

*Password Expiration: The expiration of passwords should be set to no shorter than 90 days. Agency employees would need to change their passwords at least every 90 days; otherwise they would expire. The software should provide users with warnings that give them lead time to change their passwords.

*Password History: Password history will be enforced for five iterations. When agency employees change their password, the system will not permit the use of the same password again until the sixth iteration, but it would permit the use of a derivative password, as long as some change has been made. For example, a permissible change would include a change from CmS321 to CmS322.

*Password Length: Valid passwords must include at least six characters and permit a maximum of eight characters. This range is sufficiently long to make “password cracking” difficult, but also sufficiently short for easy entry.

*Password Composition: Every password must have at least one lower case letter, one upper case letter, and one number. Special characters (non-alphabetic and non-numeric) may not be used. The password cannot be the same as the ID and cannot repeat the same number or letter (whether upper case or lower case) more than two times consecutively. For systems that do not recognize upper and lower case, all characters should be treated as upper case.

The approved ACT Password Guidelines are available by visiting the IIABA Web site at and selecting the Agents Council for Technology tab.

Topics Agencies

Was this article valuable?

Here are more articles you may enjoy.