Educause Security Discussion mailing list archives
Re: assessing an authentication service
From: David Lassner <david () HAWAII EDU>
Date: Wed, 29 Dec 2004 14:13:43 -1000
I've pasted below a few prior notes from this list that address items (1) and (2). Thanks to David Wasley for the first list and Bryan Lucas for resending us the Cambridge study in September that Dennis Maloney had forwarded to the list from his IT Auditor, Jim Dillon, in January.
On Dec 29, 2004, at 10:56 AM, Tom Barton wrote:
At the "CAMP Enterprise Authentication Workshop" last November in San Diego we identified a need for an authoritative doc to help campuses assess their authentication services. Two docs, in fact: (1) a "how to" doc for assessing an authentication service to determine what actions are likeliest to make the most substantial improvements inoverall strength of authentication. It could take the form of a top 10 list.
From: "David L. Wasley" <david.wasley () UCOP EDU> Date: September 24, 2004 8:25:10 AM HST To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student paper "editorial" on robust passwords The weird thing is that the student's editorial is quite readable! What I don't often hear in this discussion is the clear set of technical mitigations that we all should be working towards. Of course Frank's password should not be "Frank" but frankly we technologists have some work to do as well. It should be the goal of every IT environment that, at the very least: 1. EVERY system requires reasonably strong passwords to avoid ease of guessing;2. NO system stores passwords in the clear, and NO system allows easy
access to the password store (e.g. /etc/passwd)!! 3. NO system requires sending passwords in clear text over ANY communications medium; 4. EVERY system locks up an account if a password is entered incorrectly N times in succession.
(2) a study (or metastudy) of the effect various password length, complexity, history, and aging characteristics have on overall strength of an authentication service. Regarding (2), I think people (and CAMP attendees in particular) aretypically aware of the arguments pro and con associated with discussionsof password strength. We're looking instead for actual scientific, perhaps sociological, studies. You know, where there's an experimentaldesign, thoughtfully implemented protocol, systematic data gathering andanalysis, and interpretation of results. Or a synthesis of these, if such experiments have been done many times.
Begin forwarded message: From: "Lucas, Bryan" <b.lucas () TCU EDU> Date: September 23, 2004 7:39:45 AM HST To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student paper "editorial" on robust passwordsReply-To: The EDUCAUSE Security Discussion Group Listserv
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- assessing an authentication service Tom Barton (Dec 29)
- <Possible follow-ups>
- Re: assessing an authentication service David Lassner (Dec 29)
- Re: assessing an authentication service Jeff Giacobbe (Dec 30)
- Re: assessing an authentication service David L. Wasley (Dec 30)