Password Policy: Update Recommendations

1. Password Policy: Update Recommendations Identity & Access Management Committee September, 2012

2. Making Passwords Stronger • Problems • Our current passwords aren’t strong enough. • Overly complex passwords are hard to remember. • Goal • Make passwords more resistant to guessing attacks, while making them easier to use and remember. • Strategy • Align our password policies with the InCommon Assurance Program (Silver level ≈ LoA2): • REQUIRED for access to federal and other resources • Apply to our entire environment (required): • Now, include students in the mandatory program.

3. InCommon Assurance Program • A framework of trust for safely sharing resources • Specifically designed for/by higher education • Policy, process, technology • Enables use of federated systems • NIH, Grants.gov, Research.gov, Open Science Grid, • Nat’l Student Clearinghouse, … • Best-practice security • Aids in compliance with PCI-DSS, HIPAA, etc. • Recommendations drawn from NIST “The Authentication Secret and the controls used to limit online guessing attacks shall ensure that an attack... shall have a probability of success of less than 2-14 (1 chance in 16,384) over the life of the Authentication Secret. This requires that an Authentication Secret be of sufficient complexity and that the number of invalid attempts to enter an Authentication Secret for a Subject be limited.“

4. Basic Tactics • #1: Make our passwords stronger • Stronger = Longer • Our current 8-character minimum is no longer OK • Longer is better than “complex” • Easier to remember, easier to type • Prevent bad password choices • Enforce existing policy (dictionary check) • Check against list of common/bad choices • Prevent re-use • #2: Limit the number of possible guesses • Periodic refresh (all users) • Consistent lockout policy (Web, UNIX, Windows)

5. Proposal part 1: Stronger Passwords (length) • 15-character minimum, no complexity requirements • Using numbers/caps/special is OK, but not required • Any of the above is MUCH stronger than today:

6. Proposal part 1: Stronger Passwords (choice) • Current IT Security Policy • Don’t choose words from the dictionary • Password ≠ derivation of username • Start enforcing these • Prevent choice of commonly chosen/cracked passwords • “Password” is one of the most commonly chosen! • 12345678, asdfghjkl, 00000000, etc. • Prevent re-use • Even a very strong password can be cracked, given enough time

7. Proposal part 2: LimitGuessing • Password refresh for all users • Currently just faculty/staff, every 6 months • Apply to all users • (Students via Registration Ready) • Back off to once a year for everyone • Lockout for excessive consecutive failures • Already doing this foreIDWebAuth (9 fails  15 min) • We’ve seen very few lockouts • 14 failed attempts  account locked for 1 hour • Extend this to Active Directory root for eID

8. Summary: Controls Strategies The Goal 15 Length Good Password Dictionary Resist Guessing Attacks Lock-out 14 = 1hr Limit Guesses …InCommon Silver Assurance Refresh 1 yr

9. Questions…? And Links: • InCommon Assurance Program • http://www.incommon.org/assurance/ • NIST Electronic Authentication Guideline • http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf