Educause Security Discussion mailing list archives

Re: Password Guidelines

From: Steven Alexander <steven.alexander () KCCD EDU>
Date: Wed, 24 Aug 2016 00:06:16 +0000
I just started at in my role so I’m looking at our password requirements generally.

We’re not blacklisting, but it’s something that I want to do.  I’d like to use a large list, e.g. all dictionary words 
+  RockYou + Linkedin.  If anyone has actually put blacklisting into practice, I’d love to hear about what you did and 
how it went.

I think that the password advice that’s been given out for years is generally bad.  NIST still recommends eight 
characters but it also says that we should use PBKDF2 which most systems do not use.  I think that this will be 
intentionally and/or unintentionally misread to justify sticking with eight characters even when PBKDF2 (or another 
strong KDF/password hash) is not in use.  With PBKDF2 and a reasonable cost value, eight characters is probably enough 
but for other systems (e.g. Active Directory with MD4), the minimum needs to be about 15 or 16 characters if you care 
about offline attacks at all.  Offline attacks are at least a million times faster than when we first started 
recommending eight characters.

I’m thrilled that password expiration every NN days is not recommended.  Password expiration hurts security and the 
idea needs to die.

I’m also very happy about the stretching and salting recommendations.  I’d love to see them recommend Argon, bcrypt or 
scrypt but PBKDF2 is way better than any of the one or two iteration hash solutions that are out there.

Regards,

Steven Alexander
Director of IT Security
Kern Community College District

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Milman
Sent: Tuesday, August 23, 2016 2:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Guidelines

Hi Frank,

I found that our existing password policies are pretty robust, however I hadn’t considered using a password blacklist 
as suggested in the draft. Is anyone using a password blacklist to prevent users from using a compromised password? I 
know I’ve run into this on some websites, but not in an enterprise level authentication system.

Rob Milman


[cid:image004.png@01D18F19.9217E950]

Rob Milman
Security & Compliance Analyst
Information Systems

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 – 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401  (Cell) 403.606.3173
rob.milman () sait ca<mailto:rob.milman () sait ca>





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Tuesday, August 23, 2016 11:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Password Guidelines

Good afternoon folks,
  I am wondering if the recent NIST draft authentication guidelines have caused anybody to review their existing 
password policies, and, if so, caused any changes?

(for those of you that haven't read it yet: https://pages.nist.gov/800-63-3/)

Frank

--
Frank Barton
ACMT
IT Systems Administrator
Husson University
Current thread:

Password Guidelines Frank Barton (Aug 23)
- Re: Password Guidelines Rob Milman (Aug 23)
  - Re: Password Guidelines Steven Alexander (Aug 23)