Re: Password change *recommended* -- RESULTS?

[David Walker <dhwprof () GMAIL COM>]

Brady,

Very real issues you've listed about multi-factor authentication.  I'll
mention that the MFA Cohortium
(https://wiki.cohortium.internet2.edu/confluence/display/mfacohortium/Home),
a group of 40-50 universities, is doing a work in the areas you've
mentioned.  Take a look; there are a number of white papers available. 
You're also welcome to participate; information for how to do that is
available from the wiki page linked above.

A couple of other links you may find of interest:

  * The FIDO Alliance (https://fidoalliance.org/), an industry group
    that has recently released specifications for a standard
    authentication API for second factor and passwordless tokens.
  * The Multi-Context Broker (https://spaces.internet2.edu/x/BozFAg), an
    extension to Shibboleth that facilitates the integration of MFA and
    assurance into a SAML IdP.


Things are getting better, but they still have a ways to go.

David

On 04/16/2014 12:18 PM, McClenon, Brady wrote:
> Thanks, Joe.  I agree that MFA is the way to go, but with many colleges depending on vendor supplied software MFA 
> becomes more difficult.  Does the service support MFA, and if so which solution?  SSO would make this easier, but SSO 
> has the same set of issues.  Some support CAS, some support SAML, some ADFS, etc...  It seems that until SSO and MFA 
> standards are achieved some are overwhelmed with the need to support 2-3-4 solutions to the same problem.
>
> I follow some of your reasons outlined for password changes, and again, thanks.  I will point out that the statements 
> "Periodic Password Changes Limit The Window for Brute Force Attacks" and "If you do change your password, the 
> attacker will need to restart their cracking effort because cracking your old password typically won't help the 
> attacker deduce your new password" aren't entirely true.  The attacker would only need to restart if your new 
> password was one he/she already tried prior to the change.  The window may not change at all, and the probability 
> that the change helped protect the password can be anywhere between 0-100% depending on where the attacker was in his 
> list when the password was changed.   So while there is some value against brute force the value seems somewhat 
> undeterminable. 
>
>
>
>
> -----Original Message-----
> From: Joe St Sauver [mailto:joe () oregon uoregon edu] 
> Sent: Wednesday, April 16, 2014 10:39 AM
> To: McClenon, Brady
> Cc: security () listserv educause edu
> Subject: Re: Password change *recommended* -- RESULTS?
>
> Good morning!
>
> Brady asked:
>
> #Except in the case of an incident were passwords may have be leaked or #otherwise compromised, in which case it 
> seems it would be a required #change and just not recommended, I'm curious to the thoughts of those #here on why you 
> would enforce periodic password changes on users.  
>
> I outlined a few reasons in an NWACC talk on passwords that you can find at 
> http://pages.uoregon.edu/joe/passwords/passwords.pdf (section 4 talks about the password change issue)
>
> That said, the fundamental problem is that at this stage of the game, plain old passwords just aren't good enough 
> anymore -- yet we still don't see ubiquitous deployment of multifactor on most campuses. Why? 
>
> I attempted to discuss some of the reasons that people may have
> *historically* had, and why they may no longer be applicable, in a talk I did last week in Denver at the Internet2 
> Global Summit; see http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf
>
> If you all are not doing multifactor, did I catch the reason(s) why in thos slides? If I missed a fundamental reason, 
> I'd love to hear about/understand it better. 
>
> Do we all just secretly love passwords for some sort of weird cultural reasons? :-;
>
> Regards,
>
> Joe