Agents and brokers, however, have to work with multiple companiesand their wide variety of different password formats and procedures. So what do many agents and brokers do to keep track of everything? They keep written lists of their various passwords, a practice that has the potential to compromise security at the agency level. Additionally, agent frustration with the current password situation makes real-time carrier interfaces less attractive.

The good news is that we have a golden opportunity to develop a solution to this dilemma. This solution will take time and effort to implement fully, but it will further improve agency workflow and decrease the level of frustration agents and brokers experience when working on their carriers systems.

In an important effort to address the password dilemma, the Agents Council for Technology (ACT) established a Password Work Group. The Group developed, and ACT subsequently approved, recommended guidelines for password formats and agency password management. These guidelines include:

Password Expiration. The expiration of passwords should be set to no shorter than 90 days. Agency employees would need to change their passwords at least every 90 days, otherwise the password would expire. The software should provide users with warnings that give them lead-time to change the passwords.

Password History. Password history will be enforced for five iterations. When agency employees change their passwords, the system will not permit the use of the same password again until the sixth iteration, but it would permit the use of a derivative password, as long as some change has been made. For example, a permissible change would include a change from CmS321 to CmS322.

Password Length. Valid passwords must include at least six characters and permit a maximum of eight characters. This range is sufficiently long to make “password cracking” difficult, but sufficiently short for easy entry.

Password Composition. Every password must have at least one lower case letter, one upper case letter and one number. Special characters (non-alphabetic and non-numeric) may not be used. The password cannot be the same as the ID and cannot repeat the same number or letter (whether upper case or lower case) more than two times consecutively. For systems that do not recognize upper and lower case, all characters should be treated as upper case.

Agencies should also implement a password management process at the agency level and require adherence by all agency employees. Once the guidelines are implemented, agency management should make sure that lists of passwords are eliminated wherever possible.

If passwords need to be written down, they should be maintained in a secure manner. Agency management should establish clear guidelines for the individual who will advise carriers of employee changes so that systems access is terminated as necessary.

Assuming carriers implement these guidelines, agencies should bring the expiration dates for all employee passwords to a common set of dates. Passwords can be between six and eight characters long. They should contain three different types of characters including upper case, lower case and numeric.

The passwords should not be the same as the ID and should not repeat the same number or letter (whether upper case or lower case) more than two times consecutively. Using complex composition (mixed case and numbers) greatly improves the security of passwords by reducing the possibility of “password guessing” by unauthorized parties.

While a long-term solution will take time to implement, we urge carriers and agencies to implement these guidelines now, because they would result in a considerable improvement in agent-carrier workflows over the intermediate term.

The guidelines would enable agency employees to use consistent passwords for multiple companies and would eliminate the need to keep lists at the agency level, thereby improving security. I would also note that because the guidelines only address passwords, current user IDs would not be impacted.

Ultimately, agents would like to see real-time interface solutions with their companies. With such a system, the agency electronically stores the necessary passwords in an encrypted fashion, then the agency and carrier handle the identity verification process automatically. This would occur machine-to-machine when the agent initiates a transaction with the carrier from his or her system. Carriers and vendors are already developing and implementing links and interface technologies that begin to handle passwords in this manner.

For the industry to take full advantage of this important opportunity to improve agent-carrier real-time interfaces, we need ACORD to develop a standard that specifies how carriers and agency management systems can work together to implement identity management. Several carriers and management system vendors, along with ACT, have approached ACORD to develop such a standard.

Our industry has an important opportunity to improve agency efficiency and strengthen agency security. I urge the industry to take the steps that will accomplish this: implement the ACT guidelines for password formats and promote an agency-level password management process, while working toward standards and implementations that facilitate automatic password handling between agency and carrier systems.

Alvito Vaz, director of agent Internet systems, with Progressive, is Chairman of ACTs Password Work Group and a member of ACORDs Joint Architecture Group. This article reflects the opinions of the author and should not be construed as an official statement of ACT.

Reproduced from National Underwriter Edition, June 9, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.