What Is So Special About Your Cornell NetID?
Your Key to the Kingdom
Your Key to the Kingdom
We Use Kerberos
• Kerberos is a security system designed to protect access to personal, confidential information on computer networks
• When you request access to Kerberos-protected private information, Kerberos verifies that you have entered the correct password for your Network ID
• And then issues you an electronic ticket, which gives you admission to restricted services
• Password traffic is carefully controlled• Your password is stored in an encrypted database which
is locked down and protected by dual-factor authentication
So What’s the Problem?
• Your password is vulnerable to guessing
• There are computer programs that can guess very fast
http://www.lockdown.co.uk/?pg=combi&s=articles
CIT Audit Report
Drafted Oct. 2002, Updated May 2004
6%
Six Percent Cracked in Less than 72 hours
CIT NetID Passwords
What we proposed in November• Establish baseline; run crack utility against KDC • Publicize project; keep it simple, non-intrusive• Apply slow leaning pressure as opposed to
draconian measures• No expiration of current passwords• Provide full-featured, web-based password
change utility and education site• Enforce password complexity rules against all
new passwords issued and/or changed• Launch in Spring of 2005• Closely monitor results through Dec. 2005
We’ve Had Help• IT Security Team• Identity Management Developers• Customer Services and Marketing (CSM)
– Usability Study– Documentation– Marketing– Training
• Contact Center• CIT Community
So What Are The Rules?• Choose at least 8 characters, including at least three of the following
four character types: – Uppercase letters – Lowercase letters – Numbers – Symbols found on your keyboard, such as ! * () : | / ?
• Avoid words in any dictionary or language, spelled forward or backward.
• Don't pick names or nicknames of people, pets, or places, or personal information that can be easily found out, such as your address, birthday, or hobbies.
• Don't include any of these: – Repeated characters, such as AAA or 555; – Alphabetic or numeric sequences, such as abc or 123; – Common keyboard sequences, such as Qwerty or pas.
http://www.cit.cornell.edu/services/identity/password.html
What About Password Aging?• Helpful at combating weak passwords by
forcing to be changed on a regular basis..• A penalty for people who already use strong passwords.. • When confronted with a "your password has expired"
dialog, you are more likely to choose a poorly conceived password so that you can get back to your work ASAP..
• If everyone has good passwords, the need for password aging is minimalized..
• The notion of needing to change your Kerberos password on an annual basis is still an item under consideration, but wasn't in the scope of this project.
April 4, Internal testing on sample of 345 Kerberos 5.0 keys successfully cracks 20 passwords (6%) within 72 hours. *
April 11, Internal Testing Begins. New policy applied to CIT/OIT employees for internal testing. All CIT/OIT employees strongly encouraged to test their NetID/password combination within 2 weeks
April 20, Updates to Campus Developers, Listservers
April 21, Begin Print Coverage
April 25, Password Complexity Enforcement policy applied; all new passwords and password changes will be subjected to new rules from this point on
April 25, Monitoring continues on a monthly basis to measure success…
25 2623 242220 21
1 230 312927 28
8 96 753 4
15 1613 1410 11
22 2320 211917 18
29 3027 282624 25
S p r i n g B r e a k !
April
We closely track results
12
Sunday Monday Tuesday Wednesday Thursday Friday Saturday
Apply ToCIT/OIT
Apply ToCampus
TestResults
* Unix Crack 5.0 running on a locked down machine running no services and protected with two-factor authentication. No attempt to associate NetIDs with cracked passwords.
The Recent Schedule
12%
12% of 345 CIT Users in First Two Days
CIT NetID Passwords
Quick Stats
• Total uses of strength-check app: 1529
• Total successfull pW changes: 422
Monitoring: What we Hope to Show
Fewer Crackable Passwords
Fewer Crackable Passwords
Increasing Use of IdM Tools
Monitoring: What we Hope to Show
Our Testers Have Been Busy!
• We’ve adjusted the size of our dictionary• Password Tips link on error pages• Information about length limitations• Spaces will be allowed• Good feedback from CSM• New feature requests• Investigating more intelligent dictionary check
mechanisms
Review of our Goals
• Implement the changes on the backend to enforce a level of password complexity
• Widely publicize the changes• Provide the appropriate tools and end user
documentation to be successful• Prepare the Contact Center to support
customers in adapting to the change