Assurance

[David Langenberg <>]

We considered the approach and even had a conceptual design very similar to yours, but decided against implementation.  Rather, using the "entropinators" we found it was much easier for us to tweak our password complexity to find a happy medium for letting LDAP/AD continue to manage their own lockout policies internally and still remain compliant with Silver.  Right now the approach is sitting in the auditor's hands so can't yet give any certainty as to the outcome.

Dave

On Mon, Jun 3, 2013 at 3:25 PM, Michael W. Brogan <> wrote:

Benn,

Several months ago we at the University of Washington went through an exercise to see how we might implement failed login tracking with our systems. What we came up with was nearly identical to what you described and diagrammed. We haven't implemented anything yet, but it's safe to say we are considering a similar approach.

We were especially interested in using failed login counts and max guesses per entropy level as the driver for password changes rather than pre-determined password ages. I'm curious if anyone else has implemented something like that on their campus yet.

--Michael

-----Original Message-----
From: [mailto:] On Behalf Of Benn Oshrin
Sent: Friday, May 31, 2013 2:52 PM
To:
Subject: [Assurance] Failed Authentication Counter Strawman

As mentioned on a couple of previous calls, I've been interested in a solution for counting failed authentication attempts. I've drafted a strawman, available for review at

  https://spaces.internet2.edu/x/kAtOAg

I'd be interested in comments and feedback, and assuming no fatal flaw, I'd also be interested if anyone else is considering a similar approach.

Thanks,

-Benn-

--
David Langenberg

Identity & Access Management

The University of Chicago