Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Accessing electronic journals from off- campus This causes lots of headaches, but dont despair, heres how to do it! (Please note – this presentation is.
Member Access Registration & Login. 2 Registration Next, click on the Register Now button. To register for Member Access users should navigate to
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Password Cracking Lesson 10. Why crack passwords?
Presented by: Doug Falk National Student Clearinghouse Student Access to Federal Loan Data and Other Online Student Services.
Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Tom Parker Project Manager Identity Management Team IT Security Group.
NetID Password Strength Initiative Gary Windham Senior Enterprise Systems Architect UITS Computing Services.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
The InCommon Federation The U.S. Access and Identity Management Federation
Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
Designing Active Directory for Security
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
CIS 450 – Network Security Chapter 8 – Password Security.
Computer Security Preventing and Detecting Unauthorized Use of Your Computer.
Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges.
The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
User Management: Passwords cs3353. Passwords Policy: “Choose a password you can’t remember and don’t write it down”
Common Sense Media Unit 3 – Lesson 1 Category: Privacy & Security.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.
Making Grants.gov Work for You: U.S. Department of Education International Education Program Service Technical Assistance Workshop January 2009 Find. Apply.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.
Understanding Security Policies Lesson 3. Objectives.
LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.
Understanding Security Policies
Authentication Schemes for Session Passwords using Color and Images
Chapter One: Mastering the Basics of Security
Password Management Limit login attempts Encrypt your passwords
Password Cracking Lesson 10.
CS 465 PasswordS Last Updated: Nov 7, 2017.
Security.
A Business Case for Identity Management in Higher Education
Federal Requirements for Credential Assessments
Epic Introduction Basics
Registration MyMathLab Online HW MA
Epic Introduction Basics
Security.
Lesson 2: Epic Security Considerations
Lesson 2: Epic Security Considerations
Epic Introduction Basics
Registration MyMathLab Online HW MA
Registration MyMathLab Online HW MA
Technical Issues with Establishing Levels of Assurance
Registration MyMathLab Online HW MA
Presentation transcript:

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012

Making Passwords Stronger Problems Our current passwords aren’t strong enough. Overly complex passwords are hard to remember. Goal Make passwords more resistant to guessing attacks, while making them easier to use and remember. Strategy Align our password policies with the InCommon Assurance Program (Silver level ≈ LoA2): REQUIRED for access to federal and other resources Apply to our entire environment (required): Now, include students in the mandatory program.

“The Authentication Secret and the controls used to limit online guessing attacks shall ensure that an attack... shall have a probability of success of less than (1 chance in 16,384) over the life of the Authentication Secret. This requires that an Authentication Secret be of sufficient complexity and that the number of invalid attempts to enter an Authentication Secret for a Subject be limited.“ InCommon Assurance Program A framework of trust for safely sharing resources Specifically designed for/by higher education Policy, process, technology Enables use of federated systems NIH, Grants.gov, Research.gov, Open Science Grid, Nat’l Student Clearinghouse, … Best-practice security Aids in compliance with PCI-DSS, HIPAA, etc. Recommendations drawn from NIST

Basic Tactics #1: Make our passwords stronger Stronger = Longer Our current 8-character minimum is no longer OK Longer is better than “complex” Easier to remember, easier to type Prevent bad password choices Enforce existing policy (dictionary check) Check against list of common/bad choices Prevent re-use #2: Limit the number of possible guesses Periodic refresh (all users) Consistent lockout policy (Web, UNIX, Windows)

Proposal part 1: Stronger Passwords (length) 15-character minimum, no complexity requirements Using numbers/caps/special is OK, but not required Any of the above is MUCH stronger than today:

Proposal part 1: Stronger Passwords (choice) Current IT Security Policy Don’t choose words from the dictionary Password ≠ derivation of username Start enforcing these Prevent choice of commonly chosen/cracked passwords “Password” is one of the most commonly chosen! , asdfghjkl, , etc. Prevent re-use Even a very strong password can be cracked, given enough time

Proposal part 2: Limit Guessing Password refresh for all users Currently just faculty/staff, every 6 months Apply to all users (Students via Registration Ready) Back off to once a year for everyone Lockout for excessive consecutive failures Already doing this for eID WebAuth (9 fails  15 min) We’ve seen very few lockouts 14 failed attempts  account locked for 1 hour Extend this to Active Directory root for eID

Summary: ControlsStrategies The Goal Length Dictionary Lock-out Refresh Good Password Limit Guesses Resist Guessing Attacks …InCommon Silver Assurance = 1hr 1 yr

Questions…? And Links: InCommon Assurance Program NIST Electronic Authentication Guideline 63V1_0_2.pdf 63V1_0_2.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.