Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Published byLina Ridley Modified over 9 years ago

Similar presentations

Presentation on theme: "Password Policy: Update Recommendations Identity & Access Management Committee September, 2012."— Presentation transcript:

1 Password Policy: Update Recommendations Identity & Access Management Committee September, 2012

2 Making Passwords Stronger Problems Our current passwords aren’t strong enough. Overly complex passwords are hard to remember. Goal Make passwords more resistant to guessing attacks, while making them easier to use and remember. Strategy Align our password policies with the InCommon Assurance Program (Silver level ≈ LoA2): REQUIRED for access to federal and other resources Apply to our entire environment (required): Now, include students in the mandatory program.

3 “The Authentication Secret and the controls used to limit online guessing attacks shall ensure that an attack... shall have a probability of success of less than 2 -14 (1 chance in 16,384) over the life of the Authentication Secret. This requires that an Authentication Secret be of sufficient complexity and that the number of invalid attempts to enter an Authentication Secret for a Subject be limited.“ InCommon Assurance Program A framework of trust for safely sharing resources Specifically designed for/by higher education Policy, process, technology Enables use of federated systems NIH, Grants.gov, Research.gov, Open Science Grid, Nat’l Student Clearinghouse, … Best-practice security Aids in compliance with PCI-DSS, HIPAA, etc. Recommendations drawn from NIST

4 Basic Tactics #1: Make our passwords stronger Stronger = Longer Our current 8-character minimum is no longer OK Longer is better than “complex” Easier to remember, easier to type Prevent bad password choices Enforce existing policy (dictionary check) Check against list of common/bad choices Prevent re-use #2: Limit the number of possible guesses Periodic refresh (all users) Consistent lockout policy (Web, UNIX, Windows)

5 Proposal part 1: Stronger Passwords (length) 15-character minimum, no complexity requirements Using numbers/caps/special is OK, but not required Any of the above is MUCH stronger than today:

6 Proposal part 1: Stronger Passwords (choice) Current IT Security Policy Don’t choose words from the dictionary Password ≠ derivation of username Start enforcing these Prevent choice of commonly chosen/cracked passwords “Password” is one of the most commonly chosen! 12345678, asdfghjkl, 00000000, etc. Prevent re-use Even a very strong password can be cracked, given enough time

7 Proposal part 2: Limit Guessing Password refresh for all users Currently just faculty/staff, every 6 months Apply to all users (Students via Registration Ready) Back off to once a year for everyone Lockout for excessive consecutive failures Already doing this for eID WebAuth (9 fails  15 min) We’ve seen very few lockouts 14 failed attempts  account locked for 1 hour Extend this to Active Directory root for eID

8 Summary: ControlsStrategies The Goal Length Dictionary Lock-out Refresh Good Password Limit Guesses Resist Guessing Attacks …InCommon Silver Assurance 15 14 = 1hr 1 yr

9 Questions…? And Links: InCommon Assurance Program http://www.incommon.org/assurance/ NIST Electronic Authentication Guideline http://csrc.nist.gov/publications/nistpubs/800-63/SP800- 63V1_0_2.pdf http://csrc.nist.gov/publications/nistpubs/800-63/SP800- 63V1_0_2.pdf

Download ppt "Password Policy: Update Recommendations Identity & Access Management Committee September, 2012."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Accessing electronic journals from off- campus This causes lots of headaches, but dont despair, heres how to do it! (Please note – this presentation is.

Accessing electronic journals from off- campus This causes lots of headaches, but dont despair, heres how to do it! (Please note – this presentation is.
Member Access Registration & Login. 2 Registration Next, click on the Register Now button. To register for Member Access users should navigate to www.rotary.org.

Member Access Registration & Login. 2 Registration Next, click on the Register Now button. To register for Member Access users should navigate to
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Presented by: Doug Falk National Student Clearinghouse Student Access to Federal Loan Data and Other Online Student Services.

Presented by: Doug Falk National Student Clearinghouse Student Access to Federal Loan Data and Other Online Student Services.
Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Tom Parker Project Manager Identity Management Team IT Security Group.

Tom Parker Project Manager Identity Management Team IT Security Group.
NetID Password Strength Initiative Gary Windham Senior Enterprise Systems Architect UITS Computing Services.

NetID Password Strength Initiative Gary Windham Senior Enterprise Systems Architect UITS Computing Services.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

Similar presentations

Ads by Google