Re: Password policy

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

  I'll agree with Jim and others that we need two-factor authentication for the assets that we REALLY need to worry 
about (at least our financials, medical records, human subjects research data and so on).  And we need to allow some 
reasonable number of retries, especially if you, or I or the student in the lab has to type fifteen or twenty 
characters correctly each time we log in (or for  those who sit in front of a screen all day, each time we go 'down the 
hall' or out to lunch)  

  But seriously, who's going to try to break into Professor Snerdwell's e-mail account with a dictionary attack?  And 
unless we're worried about month-long sustained attacks, frequent password changes are just annoying without buying 
additional security.  Making people change their passwords every ninety days doesn't teach good computer hygiene, it 
annoys them and confirms their impression that the IT people have nothing better to do.  
  My 2c worth.

Good point on the latter statement (as has also been made by Jim and Dan) - it's good practice to match the 
authentication system strength to the risk/consequences of a failure of that system (see NIST 800-63). 
Username/password auth is acceptable for a majority of applications that a typical student uses. An employee, on the 
other hand, who has read/write access to ERP, student records, server administration, etc. should be using a relatively 
stronger authentication method. As far as implementing strong auth systems, I notice that there's a great deal of 
maturity in open source smart card and PKI systems, for example OpenSC and OpenCA. 


Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto