Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Steven Carmody <Steven_Carmody () BROWN EDU>
Date: Tue, 20 Nov 2007 12:05:35 -0500
At 11:48 AM -0600 11/19/07, Brian T Nichols wrote:
Colleagues, We are researching best practices regarding passwords and passphrases (length, complexity, expiration, etc..). Does anyone have a standard and/or policy they can share?
Here's some info on one set of standards to keep in mind, as sites develop local policy. The US InCommon Federation ( http://www.incommonfederation.org/ ) is working with Federal government agencies to provide campuses with federated access to agency websites. Recently, NIH joined InCommon (and will be making its grants management website available in the coming months). IC is also talking to other agencies. In order to access federal sites at e-authentication level 2 (eg NIH grants mgmt), campus security practices will have to meet a number of criteria. One of these criteria is:
Strong resistance to guessing shared secret
1. The PIN (numeric-only) or password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected user's PIN or password shall have a probability of success of less than 2-14 (1 chance in 16,384) over the life of the PIN or Password. 2. The PIN (numeric-only) or password shall have at least 10 bits of min-entropy (a measure of the difficulty that an attacker faces to guess the most commonly chosen password used in a system) to protect against untargeted attack. Refer to NIST SP 800-63 Appendix A, and the NIST Shared Secret Entropy Spreadsheet to calculate resistance to online guessing.
So, if a campus allows a user to change their password, the new password must be "at least" as strong as these requirements. While this might not constitute "best practice", it does set a minimum bar. The entropy spreadsheet can be found here: http://www.cio.gov/eauthentication/credential_suite.cfm hope this helps.
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
(Thread continues...)