On April 4, the UW-Madison Office of Cybersecurity held an open-campus listening session on new password guidelines. The panel answering questions included Chief Information Security Officer Bob Turner, Susan Dyke and Chris Spencer from the Office of Cybersecurity and Tom Jordan from DoIT Middleware. Stefan Wahe served as moderator. Here’s a transcript, lightly edited.
Moderator: What are your thoughts/comments?
Audience: What’s the initial reaction by everybody when NIST (National Institute of Standards and Technology) came out with a 180 on their password recommendations?
Panel: Complex passwords and regular changes result in theoretical security but drive behaviors that are insecure. It reflects the time invested in password complexity. People just want to log on and get to work. We’ve created technology that only needs 8 characters. We can make complex passwords with simple words.
Audience: I think it’s been anticipated on campus for a while. There have been academic papers floating around, talk in MIST (UW-Madison Information Security Team) communication. We’ve known it’s been best practice for a while. We’ve been saying it for years now.
Audience: Complexity only protects against brute force attempts. Everything else (social engineering, etc.), the campus doesn’t care about, people don’t care about. They don’t understand what they’re protecting. They don’t care about email/websites. We’ve moved past caring about passwords. Everyone else doesn’t understand, the people in this room do.
Stefan: Talking about brute force, how are attackers getting credentials besides this?
Panel: They can look in people’s offices. For example, the Hawaii nuclear missile scare where there was a 12-character password on the monitor (see image above), default vendor passwords, man-in-the-middle attacks, pages not encrypted properly, system compromise (paceman), and compromised passwords from systems already broken into. The longer the password/passphrase, the harder it is to crack into. If the same password is being used across systems, they can look for it in other systems too.
There’s a NIST dictionary of known bad passwords. I recommend a dictionary. When someone tries to use a compromised password, have them select something different.
Audience: Does the university have a recommendation for multifactor authentication?
Panel: Yes, Duo. We’re working on implementing Duo Two Factor authentication for faculty and staff for the coming year. And there is a project proposal in process to roll it out to students.
Audience: What is the definition of staff in these cases?
Panel: It is university folks under the regular definitions and includes contractors, faculty and student employees. We’re focusing on a one-time password that supports push authentication. You would use a smartphone to confirm authentication. We’re focusing on the NetID login service which will begin in late spring, early summer.
Audience: When can I get it for my systems?
Panel: We still need to work with sponsors.
Audience: How does Duo work?
Panel: If you’re familiar with the Semantic VIP product, its user experience is similar to that, though Duo is more convenient. You download a smart phone app, so you don’t need to transpose a number into the website. You just need to click a button on the phone.
Audience: What if you don’t have a smart phone?
Panel: You use a smart token similar to HRS which gives you a passcode. DoIT Middleware is currently using it as a pilot.
Audience: Could you compare it to something more widespread, like Google?
Audience: Yes, I think it’s easier.
Panel: You can use it with tablets too.
Here there was a demo of Duo on the screen.
Panel: What we’ve developed is a common solution for around campus, so licensing can be funded centrally. Hardware tokens might have a cost to your department. So the question is, would your department need to buy multiple hard tokens or are your users willing to use their phones?
Audience: How much does the token cost?
Panel: $15, but it depends on how many we buy. For Semantic, they were $20, but if you bought in bulk, they were $7 or $11. So, $15-$20 is the estimate.
I understand that people have an emotional attachment to putting apps on their phone. It’s your personal phone, so is this a shared feeling in the room? Would you rather have a token?
Audience: How hard is it to use with NetID?
Panel: Duo is a single app that you can integrate with various instances. There’s a dialogue with the Duo app that says which instance it is. There is nothing different with the end user. You just have to register with each instance.
Audience: With personal phones, when there was a migration to Office 365, there was concern with, you can remote wipe my device now. So, my gut feeling is that it’s fine, but if a device gets lost, etc., what are the next steps? A remote wipe?
Panel: A system admin can unlink a device from an account. In addition, if someone loses their phone, the DoIT Help Desk could remove the phone from the Duo account.
Mobile device management is coming which could afford this opportunity. Plus, the phone and app are meaningless unless associated with the user. There is no risk unless it is associated with the individual, which is an administrative process. Because it is multifactor, you also need the password. You need all the pieces of the puzzle.
Audience: What’s the process for joining a smart phone to a user?
Panel: This is yet to be developed.
Audience: Will there be a positive affirmation to say “Use this as my device?”
Panel: We will have instructions on this.
Audience: I know Google’s authorization is with a QR code. What is Duo’s like?
Panel: Duo’s enrollment process is similar. What we need to work on are the systems that have higher ID proofing. We want to provide an easy function for lower levels but understand what to do for higher ID proofing.
For system admins, there are some decisions. Does your user want in person proofing or to do it by themselves? The type of business processes being done with these factors needs to be determined.
Audience: Can Duo be linked to more than one smart device and, if so, which one is pushed to?
Panel: We will need to determine this.
Audience: How are smartphone apps going to comply with NIST?
Panel: There is a class of systems with higher ID proofing, like biometrics. We could consider integration with finger print to unlock device, but this requires more device configuration management capabilities than we currently have university-wide. Managed devices could possibly support this.
Audience: With the NIST guidelines, are you going to change complexity requirements for NetIDs?
Panel: We’re working on it now. It’s part of the process — what we can and cannot do. If your password meets the length and four-letter words in a row, it will be a valid password.
Audience: I recommend that we exclude people’s names using a dictionary, and Bucky and Wisconsin.
Panel: That’s user experimentation; what works for them, what meets authentication.
Audience: How much do you use multifactor authentication in your daily life? What do you see as the major obstacles to adoption? What are the roadblocks to an individual user using multifactor authentication?
- I use LastPass, and I might use Duo.
- I use it every day. It’s simple and gives me good feeling.
- I’ve never had a problem even though I have a crappy old phone.
Panel: Who uses a password manager? Many people in the room raise their hand.
It might be nice to use these as survey questions when talking in your own groups. Gather this information to help to see where to go.
Audience: I know people are waiting for an answer. If there was a recommended password manager that would be helpful.
Panel: There’s not one currently, but we’re working on it.
Audience: I think it would be valuable to have access to a password vault.
Panel: How many would like to see a password vault? Most everyone in room raises their hand.
Audience: With right usage and requirements, yes.
- There are department purchases of LastPass, etc. but I would like it to be ubiquitous.
- Here’s a list of good choices.
- My group might have different needs than end users.
A lot of departments shy away from purchasing licenses because they would have to purchase every year versus one time. The result is they’re probably going to end up with poor security for departmental passwords. A recommended password vault would be extremely valuable.
Offering a number of solutions, rather than one recommended vault, would be better. Differences help rather than hurt, especially if one is hacked. That way we’re not guaranteeing that if we use one solution, we’re nailed.
The changing of password standards to a long string removes complexity, but it invalidates a large number of passwords that people would have to change. Credentials are not handled well by users. How and when might this transition happen?
Panel: IT advisory groups are leading a four-part charge — analyzing IM services, credibility and management, IT, procurement. They will help figure out how to do the implementation of the new standard for NetID and other campus systems.
Audience: What do you think will work well with your groups? To declare a specific day for implementation or a soft rollout? Is it going to be a requirement at a certain point in time and not a suggestion?
Panel: At the right time, yes. There are decision points that groups need to make regarding what day one will look like. Should it be that new folks are held to the standard? Should it be targeted groups?
Audience: Years back when this happened, there was a long series of telling people. There were targeted emails. It all culminated on St. Patrick’s Day when users were locked out of their email if they hadn’t made password changes. This communication was over the span of a year. Many users had their accounts. It needs to be implemented all at once at some point otherwise there is confusion.
Audience: What’s the strategy for when we require the new password standards? There should be a communication strategy so that people don’t get inundated with messages that are not useful to them.
We should coordinate the password change and communication strategy with campus.
There should be tools to help people. We should get as many people to help coordinate on the same schedule.
It should be a very thoughtful approach.
Think of seatbelts. People are still not doing it.
We need to make sure we’re requiring it.
How should we measure compliance?
Panel: These are all valid concerns. Please send comments and concerns to firstname.lastname@example.org.
Panel: The strategy is to minimize the number of places that passwords are handled. Then you reduce the risk.
Audience: What will happen if a user doesn’t have a NetID?
Panel: There was a project around parent access to services that was cancelled due to reasons unrelated to authentication. There are discussions around non-credit space, but there is no plan right now. We’re working on a path for departments to get NetIDs for people not in traditional populations.