Making Passwords Stronger Problems Our current passwords aren’t strong enough. Overly complex passwords are hard to remember. Goal Make passwords more resistant to guessing attacks, while making them easier to use and remember. Strategy Align our password policies with the InCommon Assurance Program (Silver level ≈ LoA2): REQUIRED for access to federal and other resources Apply to our entire environment (required): Now, include students in the mandatory program.
“The Authentication Secret and the controls used to limit online guessing attacks shall ensure that an attack... shall have a probability of success of less than (1 chance in 16,384) over the life of the Authentication Secret. This requires that an Authentication Secret be of sufficient complexity and that the number of invalid attempts to enter an Authentication Secret for a Subject be limited.“ InCommon Assurance Program A framework of trust for safely sharing resources Specifically designed for/by higher education Policy, process, technology Enables use of federated systems NIH, Grants.gov, Research.gov, Open Science Grid, Nat’l Student Clearinghouse, … Best-practice security Aids in compliance with PCI-DSS, HIPAA, etc. Recommendations drawn from NIST
Basic Tactics #1: Make our passwords stronger Stronger = Longer Our current 8-character minimum is no longer OK Longer is better than “complex” Easier to remember, easier to type Prevent bad password choices Enforce existing policy (dictionary check) Check against list of common/bad choices Prevent re-use #2: Limit the number of possible guesses Periodic refresh (all users) Consistent lockout policy (Web, UNIX, Windows)
Proposal part 1: Stronger Passwords (length) 15-character minimum, no complexity requirements Using numbers/caps/special is OK, but not required Any of the above is MUCH stronger than today:
Proposal part 1: Stronger Passwords (choice) Current IT Security Policy Don’t choose words from the dictionary Password ≠ derivation of username Start enforcing these Prevent choice of commonly chosen/cracked passwords “Password” is one of the most commonly chosen! , asdfghjkl, , etc. Prevent re-use Even a very strong password can be cracked, given enough time
Proposal part 2: Limit Guessing Password refresh for all users Currently just faculty/staff, every 6 months Apply to all users (Students via Registration Ready) Back off to once a year for everyone Lockout for excessive consecutive failures Already doing this for eID WebAuth (9 fails 15 min) We’ve seen very few lockouts 14 failed attempts account locked for 1 hour Extend this to Active Directory root for eID
Summary: ControlsStrategies The Goal Length Dictionary Lock-out Refresh Good Password Limit Guesses Resist Guessing Attacks …InCommon Silver Assurance = 1hr 1 yr
Questions…? And Links: InCommon Assurance Program NIST Electronic Authentication Guideline 63V1_0_2.pdf 63V1_0_2.pdf