Password Complexity Enforcement - PowerPoint PPT Presentation

Loading...

PPT – Password Complexity Enforcement PowerPoint presentation | free to download - id: 1ac34a-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Password Complexity Enforcement

Description:

Kerberos is a security system designed to protect access to ... Apply slow leaning pressure as opposed to draconian measures. No expiration of current passwords ... – PowerPoint PPT presentation

Number of Views:159
Avg rating:3.0/5.0
Slides: 35
Provided by: tompa6
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Password Complexity Enforcement


1
Tom Parker jtp5_at_cornell.edu Project Manager
Identity Management Team IT Security Group
2
What Is So Special About Your Cornell NetID?
3
Your Key to the Kingdom
4
Your Key to the Kingdom
5
(No Transcript)
6
We Use Kerberos
  • Kerberos is a security system designed to protect
    access to personal, confidential information on
    computer networks
  • When you request access to Kerberos-protected
    private information, Kerberos verifies that you
    have entered the correct password for your
    Network ID
  • And then issues you an electronic ticket, which
    gives you admission to restricted services
  • Password traffic is carefully controlled
  • Your password is stored in an encrypted database
    which is locked down and protected by dual-factor
    authentication

7
So Whats the Problem?
  • Your password is vulnerable to guessing
  • There are computer programs that can guess very
    fast

http//www.lockdown.co.uk/?pgcombisarticles
8
CIT Audit Report
Drafted Oct. 2002, Updated May 2004
9
Six Percent Cracked in Less than 72 hours
6
CIT NetID Passwords
10
What we proposed in November
  • Establish baseline run crack utility against KDC
  • Publicize project keep it simple, non-intrusive
  • Apply slow leaning pressure as opposed to
    draconian measures
  • No expiration of current passwords
  • Provide full-featured, web-based password change
    utility and education site
  • Enforce password complexity rules against all new
    passwords issued and/or changed
  • Launch in Spring of 2005
  • Closely monitor results through Dec. 2005

11
Weve Had Help
  • IT Security Team
  • Identity Management Developers
  • Customer Services and Marketing (CSM)
  • Usability Study
  • Documentation
  • Marketing
  • Training
  • Contact Center
  • CIT Community

12
So What Are The Rules?
  • Choose at least 8 characters, including at least
    three of the following four character types
  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Symbols found on your keyboard, such as ! ()
    / ?
  • Avoid words in any dictionary or language,
    spelled forward or backward.
  • Don't pick names or nicknames of people, pets, or
    places, or personal information that can be
    easily found out, such as your address, birthday,
    or hobbies.
  • Don't include any of these
  • Repeated characters, such as AAA or 555
  • Alphabetic or numeric sequences, such as abc or
    123
  • Common keyboard sequences, such as Qwerty or pas.

http//www.cit.cornell.edu/services/identity/passw
ord.html
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
What About Password Aging?
  • Helpful at combating weak passwords by  forcing
    to be changed on a regular basis..
  • A penalty for people who already use strong
    passwords..
  • When confronted with a "your password has
    expired" dialog, you are more likely to choose a
    poorly conceived password so that you can get
    back to your work ASAP..  
  • If everyone has good passwords, the need for
    password  aging is minimalized..  
  • The notion of needing to change your Kerberos 
    password on an annual basis is still an item
    under consideration, but wasn't in the scope of
    this project.

27
The Recent Schedule
April 4, Internal testing on sample of 345
Kerberos 5.0 keys successfully cracks 20
passwords (6) within 72 hours. April 11,
Internal Testing Begins. New policy applied to
CIT/OIT employees for internal testing. All
CIT/OIT employees strongly encouraged to test
their NetID/password combination within 2
weeks April 20, Updates to Campus Developers,
Listservers April 21, Begin Print
Coverage April 25, Password Complexity
Enforcement policy applied all new passwords and
password changes will be subjected to new rules
from this point on April 25, Monitoring
continues on a monthly basis to measure
success
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
25
26
23
24
22
20
21
S p r i n g B r e a k !
1
2
30
31
29
27
28
April
8
9
6
7
5
3
4
Test Results
15
16
13
14
10
11
12
Apply To CIT/OIT
22
23
20
21
19
17
18
29
30
27
28
26
24
25
Apply To Campus
We closely track results

Unix Crack 5.0 running on a locked down machine
running no services and protected with two-factor
authentication. No attempt to associate NetIDs
with cracked passwords.
28
12 of 345 CIT Users in First Two Days
12
CIT NetID Passwords
29
Quick Stats
  • Total uses of strength-check app 1529
  • Total successfull pW changes 422

30
Monitoring What we Hope to Show
Fewer Crackable Passwords
31
Monitoring What we Hope to Show
Fewer Crackable Passwords
IdM Tools
Use of
Increasing
32
Our Testers Have Been Busy!
  • Weve adjusted the size of our dictionary
  • Password Tips link on error pages
  • Information about length limitations
  • Spaces will be allowed
  • Good feedback from CSM
  • New feature requests
  • Investigating more intelligent dictionary check
    mechanisms

33
Review of our Goals
  • Implement the changes on the backend to enforce a
    level of password complexity
  • Widely publicize the changes
  • Provide the appropriate tools and end user
    documentation to be successful
  • Prepare the Contact Center to support customers
    in adapting to the change

34
aadssupport_at_cornell.edu
About PowerShow.com