Re: password length and required reset

[randy <marchany () VT EDU>]

A couple of observations:

1. Password expiration - This is almost always implemented to comply with
an existing regulation (PCI, NIST800-53, NIST 800-171, state IT security
regs, etc.). In other words, it's an auditor issue not a technical issue. I
don't like password expiration personally but the reality is that we have
to implement it. We can argue on its merits but this is one case when
external regs/standards force our hand.

2. Password length - this is a "it depends" on the vendor issue. If I
remember correctly, Windows maximum password length is 127 chars. However,
most apps can't handle passwords that long. Microsoft accounts (Live,
Outlook, Hotmail etc) have a maximum limit of 16 characters only
<http://forum.thewindowsclub.com/windows-clubhouse/34485-how-short-long-can-microsoft-account-password.html>.
Yahoo and Google allow 32 and 200 characters respectively. Windows login
and Microsoft account minimum password length is 8 chars. Windows 10 local
account (NOT Microsoft Account)  passwords can range from 8-127 chars. ON
the linux side, it depends (sorry, couldn't help myself) on whether you use
MD5, SHA-256/512, Blowfish. Apple sorta falls in the same category in that
there isn't a max password length generic restriction. Then there's
vendor's password requirements......or should I say lack of
requirements.....

3. I don't like password vaults for the simple reason that the vaults have
been targetted by hackers. I prefer something like SHA1_PASS which takes a
phrase + keyword to generate 20 or 40 char password. For example, secret
phrase = "thisismysecretphrase" and my keyword is "google" the result is
"d3263bc7a70f3a2a0e24af397b5c99837114b1cb". If I need a special char, I add
it at the end. No passwords are permanently stored anywhere. We suggest to
our users that they pick a phrase and use the keyword to describe whatever
service they're accessing. My example would be generating the Gmail
password. If I wanted my appleid password, secret phrase = "this
ismysecretphrase" (as before) with new keyword of "appleid" which gives me
"5f3450e2221ac66115998847b64f1c85e5c9b314". Google SHA1_Pass to find it.


-r.

On Mon, Oct 10, 2016 at 11:33 AM, Steven Alexander <
steven.alexander () kccd edu> wrote:

> Brad,
>
> Password reuse is obviously a problem but I think you can largely prevent
> this by using stronger password requirements.  Most sites still require
> only 6-8 character passwords.  If you require much longer passwords (e.g.
> 15 characters), it will be much less likely that users will reuse passwords
> from other sites because they won't meet the requirements.  If you can
> implement a filter, blacklisting common and previously cracked passwords
> would also help.
>
> Regards,
>
> Steven Alexander
> Director of IT Security
> Kern Community College District
> (661) 336-5111
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
> Sent: Monday, October 10, 2016 7:19 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] password length and required reset
>
> Most of the services you mention offer opt-in, or mandatory, multifactor
> authentication and many have pretty advanced automated systems for
> detecting suspicious logins/activities.
>
> That said, the only reason I like limited password life for our industry
> is because it ensures people don’t use the same passwords for our systems
> as third-party systems.  If you have to change your password once every
> 6-12 months at your EDU, it’s unlikely you run around changing your
> password elsewhere to match.
>
> At its root, password expiration is a control to address an undetected,
> unrepeatable compromise of credentials.  If the attack is detected, you can
> force a password reset.  If the attack is repeatable (like phishing or a
> keylogger), then the attacker can get the new password as well.  Some of
> the origins are in the idea of an attacker stealing your password store and
> cracking it, but these days the more common version of the threat is
> someone stealing an external password store, cracking it and then using the
> email/password combo to attack their email account (and related accounts).
>
> If you want to have immortal passwords, then ask yourself what detection
> and response capabilities you have, as well as your options for stronger
> authentication mechanisms where appropriate.
>
> Brad Judy
>
> Information Security Officer
> Office of Information Security
> University of Colorado
> 1800 Grant Street, Suite 300
> Denver, CO  80203
> Office: (303) 860-4293
> Fax: (303) 860-4302
> www.cu.edu <http://www.cu.edu/>
>
>
>
>
>
>
> On 10/10/16, 7:09 AM, "The EDUCAUSE Security Constituent Group Listserv on
> behalf of Mike Cunningham" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of
> mike.cunningham () PCT EDU> wrote:
>
>     Thanks for the feedback.
>
>     How do you counter the argument that no other online service that
> requires passwords have any set time limit on a password, and they are
> sites with much more sensitive information. Bank sites, credit card sites,
> amazon, paypal, gmail, yahoo, Hotmail, outlook.com phone companies,
> Netflix, etc. I can't think of any service that I have myself that requires
> me to change a password on a regular basis and that is how students view
> us, as just another online service.  I am 100% in favor of employees
> needing to reset a password since their access gives them access to other
> peoples data but for students they only have access to their own data so
> password mismanagement only puts their own data at risk, just like on any
> of those other services.
>
>     Mike Cunningham
>
>     -----Original Message-----
>     From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel
>     Sent: Monday, October 10, 2016 8:42 AM
>     To: SECURITY () LISTSERV EDUCAUSE EDU
>     Subject: Re: [SECURITY] password length and required reset
>
>     You are correct in thinking that 12 characters will help.  If you run
> passwords through most any analyzer, that 12th character adds a tremendous
> amount of time to the decryption process... but will not help if common
> phrases, titles, and sequences are used.
>
>     We recently moved all faculty, staff and service accounts to a 90-day
> password reset cycle, with a history of 6.  We are considering a minimum
> password age of 2 days, but have not implemented that change yet.  We
> recommend the password to be a minimum of 8, but no longer than 13
> characters (any longer and Office365 complains, at least as of August of
> this year) and cannot contain three consecutive characters of their
> username.  It also must have a capital letter and a number or symbol.
>
>     It has taken a number of years to push this policy amid lots of
> grumbling from staff and faculty.  We got buy-in from administration by
> explaining our reasons for implementing, we communicated the change
> effectively to the community and so far, have not had significant
> backlash.  We considered having two different policies for staff and
> faculty, but decided it was in everyone's best interest to enforce the
> stricter policy (whether they believed it or not).
>
>     Students have all the same requirements except the max age for their
> password is 180 days.  No issues there either, as this is explained at
> orientation.  While it frustrates a tiny percentage, it is an acceptably
> low percentage.
>
>     The key is effective communication and simple explanation of the
> reasons why this is important.
>
>     Good luck with any changes you make.
>
>     Dan
>
>
>     Daniel H. Boyd (94C)
>     Senior Network Architect
>     Network Operations
>     Information Security Advisory Group Chair Berry College
>     Phone: 706-236-1750
>     Fax:     706-238-5824
>
>     There are two rules to follow with your account passwords:
>     1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
>     2. If unsure, consult rule #1
>
>
>
>
>     -----Original Message-----
>     From: Mike Cunningham [mailto:mike.cunningham () PCT EDU]
>     Sent: Friday, October 07, 2016 3:29 PM
>     Subject: password length and required reset
>
>     We current have a password length rule of 6 with a password expiration
> of 180 days. We are considering changing that to a length of 12 with a
> recommendation to use a pass phrase, and no expiration. Students can want
> to can change their password daily or never. We believe the longer length
> requirement will make the password so much stronger that the password reset
> is no longer needed. This change is for students ONLY. Employees will still
> have a password recent requirement.
>
>     Thanks
>
>
>     Mike Cunningham
>     VP of Information Technology Services/CIO Pennsylvania College of
> Technology