IDM Password Management Strategy

Home Identity Management (IdM) System IDM Password Management Strategy

Objectives

The IDM project has two short-term objectives for account and password management:

1. Support the deployment of UC-wide applications through the UCTrust federation in January 2009.
2. Stabilize the existing WebReg applications's functions. WebReg supports students activating their UCSC ID (Kerberos) accounts for access to CruzMail, CruzNet and Instructional Computing labs

Short-Term Password Strategy (in support of Jan 2009 deployment)

IDM will provide a new password in support of the UC-wide/UCTrust applications. The use of this new password by campus applications will be carefully controlled, with applications being restricted to using the most secure technologies available. Applications that cannot use the preferred technologies (e.g., Shibboleth) will be required to undergo a strict review before being allowed use of alternate technologies (e.g., LDAP). It is expected that IDM would allow use of these alternate technologies in several instances.

Details

• The new password will be distinct from the existing UCSC ID (Kerberos) password, but will be tied to the same username. That is, users will have one username but two passwords (new and existing).
• The new password will be required to meet the campus "complex password" requirements (8 characters min, mix of upper/lower/number/symbol, etc.)
• Password change pages will ensure that the new password and the existing password are kept different; users will not be allowed to set both passwords to the same values.
• Other than replacing the WebReg functionality, no immediate changes are planned for how the Kerberos passwords is managed.

Longer-Term Password Strategy (to be developed after Jan 2009)

The intent is that applications that currently use the UCSC ID (Kerberos) password will move to using the new IDM password over time. Over time, the use of the existing UCSC ID/password will be reduced/replaced by this new password. As use of the new password becomes more common, we will re-evaluate the purpose and appropriate uses of the Kerberos passwords.

Applicability of (new) Password for Access to Systems

The IDM Steering Committee has recommended that the IDM password support be used to grant access up to the level of an individual's own restricted data. Support for access to institutional restricted data and other "highest risk" access types should NOT be supported by the IDM password at this time. Examples of acceptable vs. unacceptable uses of the IDM password:

• Email: Acceptable; access to non-restricted data
• At Your Service Online: Acceptable; access to "personal" restricted data
• AIS (as a student): Acceptable; access to "personal" restricted data
• AIS (as an advisor): Unacceptable; access to "institutional" restricted data
• FIS (as a "buyer"): Unacceptable; ability to execute high-risk institutional transactions

Background/Security Concerns discussion

IDM continues to support reducing the number of accounts and/or passwords required by users to the extent possible. Support for "Single Sign On" (SSO) -- a single password that would allow users to access all enterprise applications -- has been tempered by a closer evaluation of the security risks posed by user password habits and security capabilities of legacy systems. Specifically:

1. Static (reusable) passwords are relatively insecure. Password breaches, caused by either application compromises or poor user password behavior can affect multiple systems.
2. The adequacy of system security and the potential risks associated with many of the applications that currently handle the (Kerberos) username and password have not yet been assessed.

The IDM Steering Committee recommends the above strategies to both allow more careful control of the handling of the (new) user password without unduly impacting applications that rely on the existing (Kerberos) password in the short term.