Skip to Content.
Sympa Menu

assurance - RE: [Assurance] Password Strength Requirements

Subject: Assurance

List archive

RE: [Assurance] Password Strength Requirements


Chronological Thread 
  • From: "Dergenski, Todd A." <>
  • To: "" <>
  • Subject: RE: [Assurance] Password Strength Requirements
  • Date: Wed, 8 Aug 2012 20:42:25 +0000
  • Accept-language: en-US

Hello Benn:
We have not made a conscious effort to meet bronze or silver, but we are
trying to line up where we can. When we decide to go for Bronze or Silver,
these will all be re-evaluated. At the very least, we are using Bronze/Silver
as a metric for our password strength, so please take the below with a grain
of salt.

- Is anyone (considering) maintaining a simple failed authentication counter
per-password, and expiring the password once the counter reaches the limit
permitted by the complexity for the level (Bronze/Silver) of interest? (ie:
no lockout, no scheduled expiration)
No. We run multiple LDAPs and distinct accounts per service, so this approach
was not really applicable for our environment.

- Where password lockout is being used (for n amount of time after m failed
attempts, but then unlocking the password without reset unless it has
expired), what "slider" settings are you using/planning to use compared to
what you previously used/currently use? How, if at all, are you (planning on)
handling DOS risk?
We settled on defining number of attempts based on the number of services x
lockout attempts. So, 100 services (exaggerated to service growth) x 100
attempts for students = 10,000 password attempts. We then played with the
slider and settled on 72 hours. This was decided between IT and Audit to
allow for the lockout complaint to serve as a security notification. No user
should ever be attempting 100 password attempts before calling the help desk.
We do have a policy that sets the attempts to 50 that is combined with a
slightly longer password to meet level 2.

We have no public facing LDAPs and we monitor/control internal connections to
our LDAPs, so the only real way for someone to lockout DOS would be through
the public applications which slows them down tremendously. We usually view
permanent locks as the security risk vs time locks auto correct themselves.

- Are you (planning on) requiring longer passwords?
With the LONG lockout, we were able to maintain 8 characters for bronze and 9
for silver with 180 day password rotation. At least on the spreadsheet.

- Is there any sense that these requirements are "too strong" for
Bronze/LOA1? Or, less likely, "too weak"?
Most of the concern came from the help desk. They argued that a fast lockout
(3 to 5 attempts per service) combined the shortest lockout duration would be
more problematic than setting the lockout attempts (10 to 20) above the point
where they would call anyways. This would leave only the jealous
boyfriend/girlfriend (happens more than you know) and attackers attempting
more.

Our password policies can be assigned to roles and/or groups and we have the
ability to build groups off of data access. So users with "sensitive" data
access can automatically be added to a stronger (read silver) password
policy.


Todd Dergenski
Old Dominion University
Senior Security Administrator
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA

(757) 683-4301


-----Original Message-----
From:


[mailto:]
On Behalf Of Benn Oshrin
Sent: Wednesday, August 08, 2012 2:01 PM
To:

Subject: [Assurance] Password Strength Requirements

Back in December, there were some spreadsheets sent around discussing the
"sliders" to select password policies as required by ยง4.2.3.[2,3].
Bronze and Silver basically reference 800-63-1 appendix A which, as I
understand it, essentially says your password management policy is calculated
from

- The complexity required for the password (length, dictionary, composition)
- The number of unsuccessful attempts required before the password must be
locked/changed
- Time introduced to frustrate attacks, via lockouts

I'm curious about what approaches people are settling upon now. For example,

- Is anyone (considering) maintaining a simple failed authentication counter
per-password, and expiring the password once the counter reaches the limit
permitted by the complexity for the level (Bronze/Silver) of interest? (ie:
no lockout, no scheduled expiration)

- Where password lockout is being used (for n amount of time after m failed
attempts, but then unlocking the password without reset unless it has
expired), what "slider" settings are you using/planning to use compared to
what you previously used/currently use? How, if at all, are you (planning on)
handling DOS risk?

- Are you (planning on) requiring longer passwords?

(We discussed 2FA/OTP as a "beyond Silver" option back in March, so I'm less
interested in that aspect.)

Is there any sense that these requirements are "too strong" for Bronze/LOA1?
Or, less likely, "too weak"?

Thanks,

-Benn-


--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------

Teach CanIt if this mail (ID 692156878) is spam:
Spam:
https://www.spamtrap.odu.edu/b.php?i=692156878&m=928dc20fcfed&t=20120808&c=s
Not spam:
https://www.spamtrap.odu.edu/b.php?i=692156878&m=928dc20fcfed&t=20120808&c=n
Forget vote:
https://www.spamtrap.odu.edu/b.php?i=692156878&m=928dc20fcfed&t=20120808&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS




Archive powered by MHonArc 2.6.16.

Top of Page