ACNS and CSU eID Password Policy Update

By Ross Madden
Published on March 19, 2013 11:24 am MT
Updated on March 21, 2013 9:11 am MT
Posted in General CNSIT, Security

As you have probably heard, ACNS is updating the eID password Policy, starting April 1st.  This change will not affect everyone at once, but beginning in April, all new password reset messages you conduct will require the following rules to be applied:

  1. Passwords must be between 15 and 30 characters long.
  2. Passwords must include at least one letter.
  3. There’s no requirement to use upper-case or special characters (though they can be chosen, other than those in #4).
  4. The same list of special characters NOT to choose based on some back-end Oracle applications is still with us; now it’s enforced across the board, for consistency and ease of support. Note that this includes a prohibition against blank spaces. (Banned Characters: @ $ & ” ( ) ‘ ; = # * blank_space < > , )
  5. Certain password choices are not allowed, and will be prevented by the password change tool:
    • The user’s eName, real first name and real last name cannot be used as part of the password.
    • Single 15+ character words are not allowed (this is called a “dictionary check”).
    • Password history will be retained and checked: the user must choose a different password at each change.
    • Some weak choices and easily guessed phrases are also being blocked (including sequential strings like ‘abcdefgh’, movie/book titles, CSU fight song lyrics, and passwords used as examples on the web site and in presentations that have been given as part of this policy transition).
  6. With this new list of requirements, the refresh rate moves from 6 months to 1 year. So any password created after April 1st will be good for a year from the date of the change.

Here are some of the concepts that drove ACNS in the decision-making for the new policy:

  1. Our current password scheme is simply too weak, given the advances in attacks.
  2. In choosing a stronger password, we want to avoid unnecessary complication and ease usage wherever possible.
  3. Expanded use of mobile devices has made traditional “strong” passwords, which rely on excessive complexity and obfuscation, increasingly difficult to use (particularly on phones that require multiple screens to access all the special characters).
  4. Difficulty of guessing, difficulty of remembering, and difficulty of typing a password are separate concepts.
    • Our current scheme asks users to select passwords that can be difficult to remember and type, but are easy for computers to guess.
    • Our goal is to create passwords that are easy for humans to remember and type, but hard for computers to guess.
  5. So here’s how longer, simpler passwords address those three concepts (guessing, remembering, and typing):
    • Longer strings of lower-case letters, even when arranged into a sequence of real words, can provide better defense against guessing than short, complex character strings. Expressed differently: length is much more important than complexity.
    • A string of common words can be more easily memorized than a string of nonsense characters or special-character substitutions. Each word can be remembered as a “chunk”, requiring only a few word-sized chunks rather than a much longer series of individual special characters or substitutions.
    • A sequence of real words in all lower-case letters is easier to type than special characters that require Shift or Alt on a normal keyboard or additional entry screens on mobile devices.

     

And, finally, here is some much needed comic relief: http://xkcd.com/936

password_strength

Back to top of page