Assurance

["Dergenski, Todd A." <>]

Hello Benn:
We have not made a conscious effort to meet bronze or silver, but we are 
trying to line up where we can.  When we decide to go for Bronze or Silver, 
these will all be re-evaluated. At the very least, we are using Bronze/Silver 
as a metric for our password strength, so please take the below with a grain 
of salt.

- Is anyone (considering) maintaining a simple failed authentication counter 
per-password, and expiring the password once the counter reaches the limit 
permitted by the complexity for the level (Bronze/Silver) of interest? (ie: 
no lockout, no scheduled expiration)
No. We run multiple LDAPs and distinct accounts per service, so this approach 
was not really applicable for our environment.

- Where password lockout is being used (for n amount of time after m failed 
attempts, but then unlocking the password without reset unless it has 
expired), what "slider" settings are you using/planning to use compared to 
what you previously used/currently use? How, if at all, are you (planning on) 
handling DOS risk?
We settled on defining number of attempts based on the number of services x 
lockout attempts.  So, 100 services (exaggerated to service growth) x 100 
attempts for students =  10,000 password attempts.  We then played with the 
slider and settled on 72 hours.  This was decided between IT and Audit to 
allow for the lockout complaint to serve as a security notification.  No user 
should ever be attempting 100 password attempts before calling the help desk. 
 We do have a policy that sets the attempts to 50 that is combined with a 
slightly longer password to meet level 2.

We have no public facing LDAPs and we monitor/control internal connections to 
our LDAPs, so the only real way for someone to lockout DOS would be through 
the public applications which slows them down tremendously.  We usually view 
permanent locks as the security risk vs time locks auto correct themselves.

- Are you (planning on) requiring longer passwords?
With the LONG lockout, we were able to maintain 8 characters for bronze and 9 
for silver with 180 day password rotation. At least on the spreadsheet.

- Is there any sense that these requirements are "too strong" for 
Bronze/LOA1? Or, less likely, "too weak"?
Most of the concern came from the help desk.  They argued that a fast lockout 
(3 to 5 attempts per service) combined the shortest lockout duration would be 
more problematic than setting the lockout attempts (10 to 20) above the point 
where they would call anyways.  This would leave only the jealous 
boyfriend/girlfriend (happens more than you know) and attackers attempting 
more.

Our password policies can be assigned to roles and/or groups and we have the 
ability to build groups off of data access.  So users with "sensitive" data 
access can automatically be added to a stronger (read silver) password 
policy.  


Todd Dergenski
Old Dominion University
Senior Security Administrator
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA

(757) 683-4301


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Benn Oshrin
Sent: Wednesday, August 08, 2012 2:01 PM
To: 

Subject: [Assurance] Password Strength Requirements

Back in December, there were some spreadsheets sent around discussing the 
"sliders" to select password policies as required by §4.2.3.[2,3]. 
Bronze and Silver basically reference 800-63-1 appendix A which, as I 
understand it, essentially says your password management policy is calculated 
from

- The complexity required for the password (length, dictionary, composition)
- The number of unsuccessful attempts required before the password must be 
locked/changed
- Time introduced to frustrate attacks, via lockouts

I'm curious about what approaches people are settling upon now. For example,

- Is anyone (considering) maintaining a simple failed authentication counter 
per-password, and expiring the password once the counter reaches the limit 
permitted by the complexity for the level (Bronze/Silver) of interest? (ie: 
no lockout, no scheduled expiration)

- Where password lockout is being used (for n amount of time after m failed 
attempts, but then unlocking the password without reset unless it has 
expired), what "slider" settings are you using/planning to use compared to 
what you previously used/currently use? How, if at all, are you (planning on) 
handling DOS risk?

- Are you (planning on) requiring longer passwords?

(We discussed 2FA/OTP as a "beyond Silver" option back in March, so I'm less 
interested in that aspect.)

Is there any sense that these requirements are "too strong" for Bronze/LOA1? 
Or, less likely, "too weak"?

Thanks,

-Benn-


--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------

Teach CanIt if this mail (ID 692156878) is spam:
Spam:        
https://www.spamtrap.odu.edu/b.php?i=692156878&m=928dc20fcfed&t=20120808&c=s
Not spam:    
https://www.spamtrap.odu.edu/b.php?i=692156878&m=928dc20fcfed&t=20120808&c=n
Forget vote: 
https://www.spamtrap.odu.edu/b.php?i=692156878&m=928dc20fcfed&t=20120808&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS