Re: Passwords & Passphrases

[Steven Carmody <Steven_Carmody () BROWN EDU>]

At 11:48 AM -0600 11/19/07, Brian T Nichols wrote:
> Colleagues,
>
> We are researching best practices regarding passwords and
> passphrases (length, complexity, expiration, etc..).
>
> Does anyone have a standard and/or policy they can share?

Here's some info on one set of standards to keep in mind, as sites
develop local policy.

The US InCommon Federation ( http://www.incommonfederation.org/ ) is
working with Federal government agencies to provide campuses with
federated access to agency websites. Recently, NIH joined InCommon
(and will be making its grants management website available in the
coming months). IC is also talking to other agencies.

In order to access federal sites at e-authentication level 2 (eg NIH
grants mgmt), campus security practices will have to meet a number of
criteria. One of these criteria is:

> Strong resistance to guessing shared secret

> 1. The PIN (numeric-only) or password, and the controls used to
> limit on-line guessing attacks shall ensure that an attack targeted
> against a selected user's PIN or password shall have a probability
> of success of less than 2-14 (1 chance in 16,384) over the life of
> the PIN or Password.
> 2. The PIN (numeric-only) or password shall have at least 10 bits of
> min-entropy (a measure of the difficulty that an attacker faces to
> guess the most commonly chosen password used in a system) to protect
> against untargeted attack.
> Refer to NIST SP 800-63 Appendix A, and the NIST Shared Secret
> Entropy Spreadsheet to calculate resistance to online guessing.

So, if a campus allows a user to change their password, the new
password must be "at least" as strong as these requirements. While
this might not constitute "best practice", it does set a minimum bar.

The entropy spreadsheet can be found here:

http://www.cio.gov/eauthentication/credential_suite.cfm

hope this helps.