Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Password Strength Requirements

Subject: Assurance

List archive

Re: [Assurance] Password Strength Requirements


Chronological Thread 
  • From: Brendan Bellina <>
  • To:
  • Cc: Brendan Bellina <>
  • Subject: Re: [Assurance] Password Strength Requirements
  • Date: Wed, 8 Aug 2012 14:43:33 -0700

(Just sending this again since I'm not certain it made it to the list the
first time.)

We've recently developed logic in our LDAP authentication plug-in to keep a
failed password counter per-account. The response to failed attempts is
increasingly delayed as the number of attempts increases so that a brute
force attack through Shib or directly against LDAP shouldn't prove effective.
The frequency of increases and increase amounts are customizable. The
advantage of this approach over the use of the lockout features provided by
SJES and 389 is that it defeats a brute force attack without locking out the
valid user of the account. We developed this in response to concerns about
SSO being used with sensitive applications, and did not consider the
requirements of Bronze/Silver. The plug-in is compatible with SJES 6+ and
389. If there is anyone with interest just let me know and we can consider
arrangements to release the code.

Regards,

Brendan Bellina
IdM Mgr, USC

On Aug 8, 2012, at 11:00 AM, Benn Oshrin
<>
wrote:

> Back in December, there were some spreadsheets sent around discussing the
> "sliders" to select password policies as required by ยง4.2.3.[2,3]. Bronze
> and Silver basically reference 800-63-1 appendix A which, as I understand
> it, essentially says your password management policy is calculated from
>
> - The complexity required for the password (length, dictionary, composition)
> - The number of unsuccessful attempts required before the password must be
> locked/changed
> - Time introduced to frustrate attacks, via lockouts
>
> I'm curious about what approaches people are settling upon now. For example,
>
> - Is anyone (considering) maintaining a simple failed authentication
> counter per-password, and expiring the password once the counter reaches
> the limit permitted by the complexity for the level (Bronze/Silver) of
> interest? (ie: no lockout, no scheduled expiration)
>
> - Where password lockout is being used (for n amount of time after m failed
> attempts, but then unlocking the password without reset unless it has
> expired), what "slider" settings are you using/planning to use compared to
> what you previously used/currently use? How, if at all, are you (planning
> on) handling DOS risk?
>
> - Are you (planning on) requiring longer passwords?
>
> (We discussed 2FA/OTP as a "beyond Silver" option back in March, so I'm
> less interested in that aspect.)
>
> Is there any sense that these requirements are "too strong" for
> Bronze/LOA1? Or, less likely, "too weak"?
>
> Thanks,
>
> -Benn-




Archive powered by MHonArc 2.6.16.

Top of Page