assurance - Re: [Assurance] Password Strength Requirements
Subject: Assurance
List archive
- From: Eric Goodman <>
- To:
- Subject: Re: [Assurance] Password Strength Requirements
- Date: Wed, 8 Aug 2012 13:00:00 -0700
Intentionally skipping the DDoS part of the question:
I much prefer actual counting of login attempts. By my math, unless you require really complex passwords (beyond some of the basic standards you'll typically see), a very slow but persistent attack could theoretically compromise an account relatively quickly. E.g., even 2 failed logins per hour adds up to 1 in 2^14 pretty darned fast.
To avoid forcing user to make password changes -- which is somewhat generally agreed to introduce its own security risks -- tracking the total number rather of failures seems much more user-friendly than assuming attacks are occurring at the theoretical maximum speed (even taking into account any delays, etc).
Note that I didn't answer what we ARE doing. I think that's still up in the air.
--- Eric
On Wed, Aug 8, 2012 at 11:00 AM, Benn Oshrin <> wrote:
Back in December, there were some spreadsheets sent around discussing the "sliders" to select password policies as required by §4.2.3.[2,3]. Bronze and Silver basically reference 800-63-1 appendix A which, as I understand it, essentially says your password management policy is calculated from
- The complexity required for the password (length, dictionary, composition)
- The number of unsuccessful attempts required before the password must be locked/changed
- Time introduced to frustrate attacks, via lockouts
I'm curious about what approaches people are settling upon now. For example,
- Is anyone (considering) maintaining a simple failed authentication counter per-password, and expiring the password once the counter reaches the limit permitted by the complexity for the level (Bronze/Silver) of interest? (ie: no lockout, no scheduled expiration)
- Where password lockout is being used (for n amount of time after m failed attempts, but then unlocking the password without reset unless it has expired), what "slider" settings are you using/planning to use compared to what you previously used/currently use? How, if at all, are you (planning on) handling DOS risk?
- Are you (planning on) requiring longer passwords?
(We discussed 2FA/OTP as a "beyond Silver" option back in March, so I'm less interested in that aspect.)
Is there any sense that these requirements are "too strong" for Bronze/LOA1? Or, less likely, "too weak"?
Thanks,
-Benn-
- [Assurance] Password Strength Requirements, Benn Oshrin, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Eric Goodman, 08/08/2012
- RE: [Assurance] Password Strength Requirements, Dergenski, Todd A., 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Tom Scavo, 08/09/2012
- <Possible follow-up(s)>
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, David Bantz, 08/08/2012
- [Assurance] Re: Password Strength Requirements, Jon Miner, 08/08/2012
- Re: [Assurance] Re: Password Strength Requirements, Stefan Wahe, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
Archive powered by MHonArc 2.6.16.