Educause Security Discussion mailing list archives
Re: Password Guidelines
From: Steven Alexander <steven.alexander () KCCD EDU>
Date: Wed, 24 Aug 2016 00:06:16 +0000
I just started at in my role so I’m looking at our password requirements generally. We’re not blacklisting, but it’s something that I want to do. I’d like to use a large list, e.g. all dictionary words + RockYou + Linkedin. If anyone has actually put blacklisting into practice, I’d love to hear about what you did and how it went. I think that the password advice that’s been given out for years is generally bad. NIST still recommends eight characters but it also says that we should use PBKDF2 which most systems do not use. I think that this will be intentionally and/or unintentionally misread to justify sticking with eight characters even when PBKDF2 (or another strong KDF/password hash) is not in use. With PBKDF2 and a reasonable cost value, eight characters is probably enough but for other systems (e.g. Active Directory with MD4), the minimum needs to be about 15 or 16 characters if you care about offline attacks at all. Offline attacks are at least a million times faster than when we first started recommending eight characters. I’m thrilled that password expiration every NN days is not recommended. Password expiration hurts security and the idea needs to die. I’m also very happy about the stretching and salting recommendations. I’d love to see them recommend Argon, bcrypt or scrypt but PBKDF2 is way better than any of the one or two iteration hash solutions that are out there. Regards, Steven Alexander Director of IT Security Kern Community College District From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Milman Sent: Tuesday, August 23, 2016 2:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Guidelines Hi Frank, I found that our existing password policies are pretty robust, however I hadn’t considered using a password blacklist as suggested in the draft. Is anyone using a password blacklist to prevent users from using a compromised password? I know I’ve run into this on some websites, but not in an enterprise level authentication system. Rob Milman [cid:image004.png@01D18F19.9217E950] Rob Milman Security & Compliance Analyst Information Systems Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 (Cell) 403.606.3173 rob.milman () sait ca<mailto:rob.milman () sait ca> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Tuesday, August 23, 2016 11:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password Guidelines Good afternoon folks, I am wondering if the recent NIST draft authentication guidelines have caused anybody to review their existing password policies, and, if so, caused any changes? (for those of you that haven't read it yet: https://pages.nist.gov/800-63-3/) Frank -- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- Password Guidelines Frank Barton (Aug 23)
- Re: Password Guidelines Rob Milman (Aug 23)
- Re: Password Guidelines Steven Alexander (Aug 23)
- Re: Password Guidelines Rob Milman (Aug 23)