Re: assessing an authentication service

[David Lassner <david () HAWAII EDU>]

I've pasted below a few prior notes from this list that address items 
(1) and (2).  Thanks to David Wasley for the first list and Bryan Lucas 
for resending us the Cambridge study in September that Dennis Maloney 
had forwarded to the list from his IT Auditor, Jim Dillon, in January.

On Dec 29, 2004, at 10:56 AM, Tom Barton wrote:

> At the "CAMP Enterprise Authentication Workshop" last November in San
> Diego we identified a need for an authoritative doc to help campuses
> assess their authentication services. Two docs, in fact:
>
> (1) a "how to" doc for assessing an authentication service to determine
> what actions are likeliest to make the most substantial improvements in
> overall strength of authentication. It could take the form of a top 10 
> list.

From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: September 24, 2004 8:25:10 AM HST
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student paper "editorial" on robust passwords

The weird thing is that the student's editorial is quite readable!

What I don't often hear in this discussion is the clear set of
technical mitigations that we all should be working towards.  Of
course Frank's password should not be "Frank" but frankly we
technologists have some work to do as well.

It should be the goal of every IT environment that, at the very least:

       1. EVERY system requires reasonably strong passwords to avoid
          ease of guessing;

       2. NO system stores passwords in the clear, and NO system allows 
easy
          access to the password store (e.g. /etc/passwd)!!

       3. NO system requires sending passwords in clear text over ANY
          communications medium;

       4. EVERY system locks up an account if a password is entered
          incorrectly N times in succession.


> (2) a study (or metastudy) of the effect various password length,
> complexity, history, and aging characteristics have on overall strength
> of an authentication service.
>
> Regarding (2), I think people (and CAMP attendees in particular) are
> typically aware of the arguments pro and con associated with 
> discussions
> of password strength. We're looking instead for actual scientific,
> perhaps sociological, studies. You know, where there's an experimental
> design, thoughtfully implemented protocol, systematic data gathering 
> and
> analysis, and interpretation of results. Or a synthesis of these, if
> such experiments have been done many times.

Begin forwarded message:

From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: September 23, 2004 7:39:45 AM HST
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student paper "editorial" on robust passwords
Reply-To: The EDUCAUSE Security Discussion Group Listserv 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.