UCInetID Password Security Improvement Plan

Brian Roode
Network and Support Programming

Background

The majority of campus applications use UCInetIDs for authentication.   Applications validate UCInetID passwords using Kerberos directly, or indirectly through other applications such as LDAP, IMAP, WebAuth, etc. that handle the Kerberos password validation.  UCInetID passwords are initially set and changed through the UCInetID Activation System.

Passwords must be changed annually to mitigate the risk of them being compromised without your knowledge and stored for later use. Even if you’re not aware your password was stolen, if you change it periodically you may change it before a thief has an opportunity to use it.

Goals

The goals of this project are 1) to increase the security of UCInetID passwords by requiring periodic password changes for individuals who have access to high-risk applications that deal with financial or sensitive information and 2) Restricting the use of the past five previously used passwords.

Password Re-Use Restriction Plan (Implemented for PCI Compliance)

  • The Kerberos Key Distribution Center (KDC) has the capability to store previously used passwords and restrict their use upon password change.
  • During the password change process, If one of the previously-used five passwords are entered, an error message will be displayed and a unique new password will have to be chosen.

Password Selection Restrictions (Implemented June, 2010)

  • Configure the Kerberos KDC default policy to store five previous passwords. Apply this policy to all current and future principals in the database.
  • Update the Kerberos principal creation routines on the UCInetID activation system to set the default policy for all new Kerberos Principals created.
  • Update the mechanism used by the UCInetID Password Change application to properly interpret Kerberos codes.

Password Selection Restrictions (Implemented November, 2013)

  • Passwords must be at least 8 characters. (previously 6)
  • Passwords cannot be longer than 63 characters. (previously 32)
  • Passwords can contain space character. (previously not allowed)

Periodic Password Change Plan (To Be Implemented Summer, 2015)

  • On the first of each month, UCInetID account holders with passwords older than 12 months will be notified by email, that they need to change their password.
  • Subsequent reminders will be sent again on the 15th and 22nd, for account holders who have not changed their passwords
  • A final reminder will be sent on the 28th
  • The UCInetID of account holders who have not changed their password will be deactivated on the first of the following month.