Tom Parkerjtp5@cornell.edu

Project Manager Identity Management Team

IT Security Group

What Is So Special About Your Cornell NetID?

Your Key to the Kingdom

Your Key to the Kingdom

We Use Kerberos

• Kerberos is a security system designed to protect access to personal, confidential information on computer networks

• When you request access to Kerberos-protected private information, Kerberos verifies that you have entered the correct password for your Network ID

• And then issues you an electronic ticket, which gives you admission to restricted services

• Password traffic is carefully controlled• Your password is stored in an encrypted database which

is locked down and protected by dual-factor authentication

So What’s the Problem?

• Your password is vulnerable to guessing

• There are computer programs that can guess very fast

http://www.lockdown.co.uk/?pg=combi&s=articles

CIT Audit Report

Drafted Oct. 2002, Updated May 2004

6%

Six Percent Cracked in Less than 72 hours

CIT NetID Passwords

What we proposed in November• Establish baseline; run crack utility against KDC • Publicize project; keep it simple, non-intrusive• Apply slow leaning pressure as opposed to

draconian measures• No expiration of current passwords• Provide full-featured, web-based password

change utility and education site• Enforce password complexity rules against all

new passwords issued and/or changed• Launch in Spring of 2005• Closely monitor results through Dec. 2005

We’ve Had Help• IT Security Team• Identity Management Developers• Customer Services and Marketing (CSM)

– Usability Study– Documentation– Marketing– Training

• Contact Center• CIT Community

So What Are The Rules?• Choose at least 8 characters, including at least three of the following

four character types: – Uppercase letters – Lowercase letters – Numbers – Symbols found on your keyboard, such as ! * () : | / ?

• Avoid words in any dictionary or language, spelled forward or backward.

• Don't pick names or nicknames of people, pets, or places, or personal information that can be easily found out, such as your address, birthday, or hobbies.

• Don't include any of these: – Repeated characters, such as AAA or 555; – Alphabetic or numeric sequences, such as abc or 123; – Common keyboard sequences, such as Qwerty or pas.

http://www.cit.cornell.edu/services/identity/password.html

What About Password Aging?• Helpful at combating weak passwords by 

forcing to be changed on a regular basis..• A penalty for people who already use strong passwords.. • When confronted with a "your password has expired"

dialog, you are more likely to choose a poorly conceived password so that you can get back to your work ASAP..  

• If everyone has good passwords, the need for password  aging is minimalized..  

• The notion of needing to change your Kerberos  password on an annual basis is still an item under consideration, but wasn't in the scope of this project.

April 4, Internal testing on sample of 345 Kerberos 5.0 keys successfully cracks 20 passwords (6%) within 72 hours. *

April 11, Internal Testing Begins. New policy applied to CIT/OIT employees for internal testing. All CIT/OIT employees strongly encouraged to test their NetID/password combination within 2 weeks

April 20, Updates to Campus Developers, Listservers

April 21, Begin Print Coverage

April 25, Password Complexity Enforcement policy applied; all new passwords and password changes will be subjected to new rules from this point on

April 25, Monitoring continues on a monthly basis to measure success…

25 2623 242220 21

1 230 312927 28

8 96 753 4

15 1613 1410 11

22 2320 211917 18

29 3027 282624 25

S p r i n g B r e a k !

April

We closely track results

12

Sunday Monday Tuesday Wednesday Thursday Friday Saturday

Apply ToCIT/OIT

Apply ToCampus

TestResults

* Unix Crack 5.0 running on a locked down machine running no services and protected with two-factor authentication. No attempt to associate NetIDs with cracked passwords.

The Recent Schedule

12%

12% of 345 CIT Users in First Two Days

CIT NetID Passwords

Quick Stats

• Total uses of strength-check app: 1529

• Total successfull pW changes: 422

Monitoring: What we Hope to Show

Fewer Crackable Passwords

Fewer Crackable Passwords

Increasing Use of IdM Tools

Monitoring: What we Hope to Show

Our Testers Have Been Busy!

• We’ve adjusted the size of our dictionary• Password Tips link on error pages• Information about length limitations• Spaces will be allowed• Good feedback from CSM• New feature requests• Investigating more intelligent dictionary check

mechanisms

Review of our Goals

• Implement the changes on the backend to enforce a level of password complexity

• Widely publicize the changes• Provide the appropriate tools and end user

documentation to be successful• Prepare the Contact Center to support

customers in adapting to the change

aadssupport@cornell.edu