Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 20 Nov 2007 13:54:30 -0500
Steven Carmody wrote:
The US InCommon Federation ( http://www.incommonfederation.org/ ) is working with Federal government agencies to provide campuses with federated access to agency websites. Recently, NIH joined InCommon (and will be making its grants management website available in the coming months). IC is also talking to other agencies. In order to access federal sites at e-authentication level 2 (eg NIH grants mgmt), campus security practices will have to meet a number of criteria. One of these criteria is:Strong resistance to guessing shared secret1. The PIN (numeric-only) or password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected user's PIN or password shall have a probability of success of less than 2-14 (1 chance in 16,384) over the life of the PIN or Password. 2. The PIN (numeric-only) or password shall have at least 10 bits of min-entropy (a measure of the difficulty that an attacker faces to guess the most commonly chosen password used in a system) to protect against untargeted attack. Refer to NIST SP 800-63 Appendix A, and the NIST Shared Secret Entropy Spreadsheet to calculate resistance to online guessing.So, if a campus allows a user to change their password, the new password must be "at least" as strong as these requirements. While this might not constitute "best practice", it does set a minimum bar. The entropy spreadsheet can be found here: http://www.cio.gov/eauthentication/credential_suite.cfm
Note that it appears to require a password guessing lockout. If you open the spreadsheet and go to the password calculation tab, then to the Password Management Rules section, you'll see the first value is 'Lockout Mechanism'. If you set that to none, regardless of other settings, you'll get a 'SYSTEM FAILS TEST' status with the explanation "No mechanism to prevent attack from exceeding limit of 1,024 tries". Or taken to extreme with a 40 character password and all complexity rules enabled, "No mechanism to prevent attacker from exceeding limit of 36,028,797,018,964,000 tries". -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
- Re: Passwords & Passphrases Andrea Beesing (Nov 25)
- Re: Passwords & Passphrases Kees Leune (Nov 26)
- Re: Passwords & Passphrases Paul Keser (Nov 26)