Educause Security Discussion mailing list archives
Re: assessing an authentication service
From: John C Borne <jcb () LSU EDU>
Date: Mon, 3 Jan 2005 14:05:46 -0600
I have a particular interest in item (2) as it relates to password aging. We are in the process of implementing password aging on one of our last, but large, systems. We have begun to receive challenges specifically asking for empirical evidence. Our current justification is based on FERPA for initial password change and industry best practices for password aging. I have not done an exhaustive search for studies justifying the use of password aging, but I am currently looking at a paper published by Daniel Klein at Carnegie Mellon/SEI titled "Foiling the Cracker: A Survey of, and Improvements to, Password Security". A link to it is, http://www.deter.com/unix/papers/passwords_klein.pdf I would be interested in other studies that anyone may have found on the subject. Thanks. John Borne Louisiana State University Computing Services jcb () lsu edu |---------+--------------------------------> | | Tom Barton | | | <tbarton () UCHICAGO EDU| | | > | | | Sent by: The EDUCAUSE| | | Security Discussion | | | Group Listserv | | | <SECURITY () LISTSERV ED| | | UCAUSE.EDU> | | | | | | | | | 12/29/2004 02:56 PM | | | Please respond to The| | | EDUCAUSE Security | | | Discussion Group | | | Listserv | | | | |---------+-------------------------------->
------------------------------------------------------------------------------------------------------------------------------|
| | | To: SECURITY () LISTSERV EDUCAUSE EDU | | cc: (bcc: John C Borne/jcb/LSU) | | Subject: [SECURITY] assessing an authentication service |
------------------------------------------------------------------------------------------------------------------------------|
At the "CAMP Enterprise Authentication Workshop" last November in San Diego we identified a need for an authoritative doc to help campuses assess their authentication services. Two docs, in fact: (1) a "how to" doc for assessing an authentication service to determine what actions are likeliest to make the most substantial improvements in overall strength of authentication. It could take the form of a top 10 list. (2) a study (or metastudy) of the effect various password length, complexity, history, and aging characteristics have on overall strength of an authentication service. Regarding (2), I think people (and CAMP attendees in particular) are typically aware of the arguments pro and con associated with discussions of password strength. We're looking instead for actual scientific, perhaps sociological, studies. You know, where there's an experimental design, thoughtfully implemented protocol, systematic data gathering and analysis, and interpretation of results. Or a synthesis of these, if such experiments have been done many times. And there's a general understanding that passwords, or any proofs used in a run-time authentication, are just one aspect of the overall efficacy of an authentication system. Procedural, social, and additional technical characteristics also determine strength of authentication. Hence (1). Do members of this group know of authoritative sources for (1) or (2)? Thanks, Tom -- Tom Barton Senior Director for Integration Networking Services and Information Technologies The University of Chicago 773-834-1700 (office) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: assessing an authentication service John C Borne (Jan 03)
- <Possible follow-ups>
- Re: assessing an authentication service Steven Alexander (Jan 03)