One of the weakest links in the security process is the use of passwords. However, we use passwords every day and put our trust in the security of those passwords to protect information and data that is extremely valuable, be it our financial portfolio, confidential health information, private emails, business correspondence or online banking data. The security of our data is only as strong as the weakest link, and more often than not, that weak link is the poor choice we make when choosing a password.
Given the extreme importance of passwords as they relate to personal privacy and the protection of institutional data, we must make every effort to ensure that the controls governing the quality of the passwords being chosen are adequate. This document describes our current password requirements as well as enhanced requirements that will be implemented during 2006. If you have any questions or comments regarding these changes, please send an email to itso@iu.edu.
Currently, IU Network ID passwords must contain between eight and fourteen characters, two numbers or symbols in the first eight characters, and five different characters (i.e., letters, numbers, and symbols). Passwords are also subject to additional, albeit limited, strength checks to reduce the risk of them being easily guessed by those with less than honorable motives. As computing power increases, however, it is becoming increasingly possible for miscreants to obtain our passwords.
Miscreants have developed malicious pieces of software (malware) that use a variety of techniques to obtain passwords. Two of the most common techniques take advantage of weak password quality controls. A brute force attack attempts to obtain passwords by trying all possible character combinations by trial and error. A dictionary attack attempts to obtain passwords by using words commonly found in a dictionary as the basis for each password attempt. The important thing to note is that both techniques benefit from relatively short passwords such as our current Network ID passwords. Another technique used by malware to obtain passwords is to monitor user keyboard input (keystrokes) and then transmit those keystrokes to the miscreant for later use. Though this type of risk cannot be alleviated by improved password quality controls, it does illustrate yet another risk to our passwords.
Our current password quality requirements often result in users selecting passwords that are a) difficult to remember - passwords that are more likely to be written down on a yellow sticky note and posted on a computer monitor, and b) difficult to type - cryptic strings of characters are difficult to type. In addition, there are no mechanisms in place that require a user to change his or her password; a user could select a password when creating his or her account and use that same password for many years (even though that password may have been shared, exposed, or is no longer considered adequately "strong").
In the not so distant past, there were many satellite systems that maintained their own password files and whose passwords needed to be sync-ed with the IU Network ID password via IU's Account Management System (AMS) or Password Maintenance utility. This forced the use of the "least common denominator" value for all password settings across each of these systems. For example, if one of these systems had a maximum password length restriction of 14 characters, that setting had to be used across all of the systems. Therefore, this severely limited the ability to enhance or otherwise manipulate the password quality requirements set using AMS or the Password Maintenance facility.
Most of the previously mentioned satellite systems have been converted to authenticate using the IU Network ID (via Kerberos) or Windows Active Directory Services (ADS), thereby making the enhanced requirements outlined in this document possible.
As we all know, a password is a "form of secret authentication data that is used to control access to a resource". Because of its name, many assume that a password should be based off of a "word". Given the current password requirements, though, we know that a user at IU cannot choose a "word" for their IU Network ID password. In fact, passwords should not be based on words because of the risks of them being discovered by the aforementioned dictionary attack techniques. Since we don't allow passwords to be "words", and we are constrained by the fourteen character length limit, our current passwords end up being very cryptic. What can we do to improve the situation? Enter the passphrase.
A passphrase uses multiple natural words or phrases to construct the secret to be used during authentication. Passphrases generally allow incorporation of spaces into the secret to make it more in line with a "phrase". As an example, a password of "pM[]w5Mj" could be easier to remember and type as the following passphrase: "pack my box with five milk jugs".
Passphrases provide a good way to compose strong, lengthy passwords that are easier to remember, easier to type, and naturally complex. Existing brute force and dictionary attack techniques do not take passphrases into consideration, so passphrases are currently harder to crack than traditional passwords.
The IT Security Office has written an article on passphrases for those wanting additional information.
Because of the security, privacy, and ease of use benefits of passphrases, IU Network ID's and Windows ADS accounts will begin transitioning to the use of passphrases instead of passwords during 2006.
Beginning on July 27, 2006, the maximum allowed length for IU Network ID passwords/passphrases will be increased to 127 characters. At the same time, the space and ampersand (&) characters will be added as allowable characters in the password/passphrase. On July 27th, we will not change the minimum length requirement nor will we require users to change their passwords/passphrases. Thus, this change will only impact new users who are creating their accounts and users who change their passwords. A test version of the Password Maintenance utility that complies with these new requirements is available that allows you to try out a passphrase in advance of the July 27th date. NOTE: This test utility reflects the system as it will be after the October 26, 2006 change (see below) with respect to the minimum allowed length for IU Network ID passwords/passphrases.
Beginning on October 26, 2006, the minimum allowed length for IU Network ID passwords/passphrases will be increased to 15 characters. On October 26th, we will not require users to change their passwords/passphrases. Thus, this change will only impact users who are creating their accounts and users who change their passwords.
An important item worth noting is the impending availability of the self-service password/passphrase reset system. This system allows a user to create question and answer pairs that can later be used by the user to reset a forgotten password. As we encourage users to change their authentication secret from passwords to a passphrases, we realize that there will be some who forget their newly formed passphrases. The availability of this service will make the password/passphrase resets more convenient for the end user and lessen the impact on IT support units across the university. As previously mentioned, users will not be required to change their passwords into passphrases during 2006, though it is an option being considered for implementation in 2007.
A communication plan regarding these changes is being developed, and the individuals impacted by these changes will be notified at appropriate times during the course of 2006. If you have any questions or comments regarding the impending changes outlined in this document, please send an email to itso@iu.edu.
Our current password selection process is in need of improvement. By making the recommended changes outlined in this document, we can accomplish our overall goal to improve the quality of the "secrets" chosen (thus making them more secure) and to make those "secrets" easier for users to select, remember, and enter.