1 / 34

Tom Parker jtp5@cornell Project Manager Identity Management Team IT Security Group

Tom Parker jtp5@cornell.edu Project Manager Identity Management Team IT Security Group. What Is So Special About Your Cornell NetID?. Your Key to the Kingdom. Your Key to the Kingdom. We Use Kerberos.

betrys
Télécharger la présentation

Tom Parker jtp5@cornell Project Manager Identity Management Team IT Security Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tom Parker jtp5@cornell.edu Project Manager Identity Management Team IT Security Group

  2. What Is So Special About Your Cornell NetID?

  3. Your Key to the Kingdom

  4. Your Key to the Kingdom

  5. We Use Kerberos • Kerberos is a security system designed to protect access to personal, confidential information on computer networks • When you request access to Kerberos-protected private information, Kerberos verifies that you have entered the correct password for your Network ID • And then issues you an electronic ticket, which gives you admission to restricted services • Password traffic is carefully controlled • Your password is stored in an encrypted database which is locked down and protected by dual-factor authentication

  6. So What’s the Problem? • Your password is vulnerable to guessing • There are computer programs that can guess very fast http://www.lockdown.co.uk/?pg=combi&s=articles

  7. CIT Audit Report Drafted Oct. 2002, Updated May 2004

  8. Six Percent Cracked in Less than 72 hours 6% CIT NetID Passwords

  9. What we proposed in November • Establish baseline; run crack utility against KDC • Publicize project; keep it simple, non-intrusive • Apply slow leaning pressure as opposed to draconian measures • No expiration of current passwords • Provide full-featured, web-based password change utility and education site • Enforce password complexity rules against all new passwords issued and/or changed • Launch in Spring of 2005 • Closely monitor results through Dec. 2005

  10. We’ve Had Help • IT Security Team • Identity Management Developers • Customer Services and Marketing (CSM) • Usability Study • Documentation • Marketing • Training • Contact Center • CIT Community

  11. So What Are The Rules? • Choose at least 8 characters, including at least three of the following four character types: • Uppercase letters • Lowercase letters • Numbers • Symbols found on your keyboard, such as ! * () : | / ? • Avoid words in any dictionary or language, spelled forward or backward. • Don't pick names or nicknames of people, pets, or places, or personal information that can be easily found out, such as your address, birthday, or hobbies. • Don't include any of these: • Repeated characters, such as AAA or 555; • Alphabetic or numeric sequences, such as abc or 123; • Common keyboard sequences, such as Qwerty or pas. http://www.cit.cornell.edu/services/identity/password.html

  12. What About Password Aging? • Helpful at combating weak passwords by  forcing to be changed on a regular basis.. • A penalty for people who already use strong passwords.. • When confronted with a "your password has expired" dialog, you are more likely to choose a poorly conceived password so that you can get back to your work ASAP..   • If everyone has good passwords, the need for password  aging is minimalized..   • The notion of needing to change your Kerberos  password on an annual basis is still an item under consideration, but wasn't in the scope of this project.

  13. The Recent Schedule April 4, Internal testing on sample of 345 Kerberos 5.0 keys successfully cracks 20 passwords (6%) within 72 hours. * April 11, Internal Testing Begins. New policy applied to CIT/OIT employees for internal testing. All CIT/OIT employees strongly encouraged to test their NetID/password combination within 2 weeks April 20, Updates to Campus Developers, Listservers April 21, Begin Print Coverage April 25, Password Complexity Enforcement policy applied; all new passwords and password changes will be subjected to new rules from this point on April 25, Monitoring continues on a monthly basis to measure success… Sunday Monday Tuesday Wednesday Thursday Friday Saturday 20 21 22 23 24 25 26 S p r i n g B r e a k ! 27 28 29 30 31 1 2 April 3 4 5 6 7 8 9 Test Results 10 11 13 14 15 16 12 Apply To CIT/OIT 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Apply To Campus We closely track results * Unix Crack 5.0 running on a locked down machine running no services and protected with two-factor authentication. No attempt to associate NetIDs with cracked passwords.

  14. 12% of 345 CIT Users in First Two Days 12% CIT NetID Passwords

  15. Quick Stats • Total uses of strength-check app: 1529 • Total successfull pW changes: 422

  16. Monitoring: What we Hope to Show Fewer Crackable Passwords

  17. Monitoring: What we Hope to Show Fewer Crackable Passwords IdM Tools Use of Increasing

  18. Our Testers Have Been Busy! • We’ve adjusted the size of our dictionary • Password Tips link on error pages • Information about length limitations • Spaces will be allowed • Good feedback from CSM • New feature requests • Investigating more intelligent dictionary check mechanisms

  19. Review of our Goals • Implement the changes on the backend to enforce a level of password complexity • Widely publicize the changes • Provide the appropriate tools and end user documentation to be successful • Prepare the Contact Center to support customers in adapting to the change

  20. aadssupport@cornell.edu

More Related