Assurance

[Eric Goodman <>]

Going straight off of NIST, 94 characters plus complexity rules is 32 bits of entropy.

 

To get Bronze, you must limit total possible guesses to 1:2^10, which means you can allow 2^22 (~420,000) guesses. For Silver the limit is 1:2^14, so you’d have to limit to 2^18 (~26,000) guesses.

 

Your setup allows roughly 5 guesses every 10 minutes, which is 30 guesses an hour, 720 a day, and 262,800 in a year (at which point you force a reset). So you’d be good for Bronze and close, but not quite there for Silver.

 

--- Eric

 

From: [mailto:] On Behalf Of Yates, Bry-Ann L
Sent: Thursday, May 01, 2014 2:26 PM
To:
Subject: [Assurance] Question about entropy calculator

 

Hello,

The University at Albany is working toward our Bronze Assurance.  We are currently trying to determine what password settings we would have to implement in order to reach the right entropy level using the calculator. <https://spaces.internet2.edu/display/InCAssurance/Password+Entropy+Calculators> 

 

It would seem to be is easier for us to reach LOA 2 in the K column then reach the LOA 1 section in column J on the “94characters” tab under the “94 characters set, Plus complexity rules” section. 

 

1.       We would like to have a minimum password of 10 complex characters.

2.       Allow for 5 guesses before lockout.

3.       A lockout for 10 min, which we are entering as .6

4.       Force the password change every 365 days.

 

This makes row 24, column F (length) and K (LOA2) green, but leaves column J(LOA1) orange.  I believe LOA1 needs to be green for Bronze, is that correct? 

 

Can someone help me interrupt what  is needed.

 

Thank you,

Bry-Ann