Skip Navigation

Friday August 2nd, 2013

OIT > Identity Management > Plans > UCInetID Passwords

DRAFT
UCInetID Password Security
Improvement Plan

Brian Roode
Network and Support Programming

This document is maintained on the web at: http://www.oit.uci.edu/idm/plans/nacs-ucinetid-password-plan-2009.php

Background

The majority of campus applications use UCInetIDs for authentication. Applications validate UCInetID passwords using Kerberos directly, or indirectly through other applications such as LDAP, IMAP, WebAuth, etc. that handle the Kerberos password validation. UCInetID passwords are initially set and changed through the UCInetID Activation System.

Goals

The goals of this project are 1) to increase the security of UCInetID passwords by requiring periodic password changes for individuals who have access to high-risk applications that deal with financial or sensitive information and 2) Restricting the use of the past five previously used passwords.

Password Re-Use Restriction Plan (PCI Compliance)

  • The Kerberos Key Distribution Center (KDC) has the capability to store previously used passwords and restrict their use upon password change.
  • During the password change process, If one of the previously-used five passwords are entered, an error message will be displayed and a unique new password will have to be chosen.

Password Selection Restrictions (Implemented June, 2010)

  • Configure the Kerberos KDC default policy to store five previous passwords. Apply this policy to all current and future principals in the database.
  • Update the Kerberos principal creation routines on the UCInetID activation system to set the default policy for all new Kerberos Principals created.
  • Update the mechanism used by the UCInetID Password Change application to properly interpret Kerberos codes.

Periodic Password Change Plan (NOT YET IMPLEMENTED - Discussion Points)

  • A field in campus directory will contain the date of the last password change {YYYYMMDD}.
  • When an affiliate authenticates using WebAuth, it will check this date and 1) seven or less days prior to expiration date, informs the user that they need to change their password and presents a link to the password changer. 2) If password is expired, only re-directs them to the UCInetID password changer.
  • The password "age" report will be updated to include expired-password status.
  • Users will be notified via electronic mail if their password is going to expire within 14 days. A link will be provided in the e-mail to the password changer.
  • If a users password has reached its expiration date without being changed, the account will be blocked from using WebAuth. Blocked accounts will need to have their passwords changed to unblock them. The rationale here is that people can still read their email while blocked but will not be able to access any WebAuth authenticated web services.

Notes

  • Locking accounts currently scrambles the Kerberos password which makes it impossible to detect if the password has been used before. To enhance security, we will use the features of the Kerberos system to disable accounts.