Details

    • Type: RFC
    • Status: Implemented
    • Resolution: Done
    • Component/s: Infrastructure
    • Labels:
      None

      Description

      The LSST security policy, LPM-121, states “[LSST] is inherently multi-site...established organizations providing extant security policies and procedures that apply to LSST activities at their sites”.  Thus, for the Project Office in Tuscon, AURA’s password policy would apply to accounts created on the Project Office’s identity provider (i.e. Active Directory).  This is captured in LPM-97, “Project Administration Policies”.  Additionally, LSST accounts at the NCSA must adhere to NCSA’s identity and access management policy which contains the password policy (see https://wiki.ncsa.illinois.edu/pages/viewpage.action?pageId=33791874).

      Currently, the LSST Project Office and the NCSA are working on a project to unify LSST’s identity management and access systems.  The goal of which is to create one system to manage LSST staff and user accounts and groups across multiple sites.  This includes allowing federated identities by linking offsite identities with a LSST account.  Due to the multi-site nature of this new identity and access management system, a consistent password policy must be adopted.  It should be noted that the beginnings of a identity and access management policy already exists in the form of LSE-279, “Concept of Operations for Unified Authentication and Authorization Services”.  However, this document does not contain a password policy.

      Proposed LSST Password Policy

      A. LSST passwords are case-sensitive with the following properties for passwords between 8 and 15 characters:

      1. contains at least one uppercase and one lowercase letter
      2. contains at least one number or special character
      3. does NOT contain 4 sequential characters of your login ID
      4. does NOT contain dictionary words longer than 3 characters
      5. is NOT the same as the previous password

       
      B. Passwords greater than 15 characters need only: # contain at least one uppercase and one lowercase letter

      1. NOT contain 4 sequential characters of your login ID
      2. be different than the previous password

      The LSST Information Security Officer or LSST system administrators may require password changes at any time. Often this is due to a change in the unlaying cryptographic hash/algorithm or in the event of an account compromise.

      Further Justification

      Note that this policy adheres closely to NIST 800-63B’s guidelines on Memorized Secrets in section 5.1.1.2 with the exception of requirements A.1., A.2., and B.1. above.

      As many have pointed out, the guidelines in NIST 800-63, “NIST Special Publication 800-63-3 Digital Identity Guidelines”, recommend a password policy that does require frequent password changes (see section 5.1.1.2 in 800-63B).  However, it should be noted that this recommendation assumes that the NIST 800.53 framework is being used w.r.t. security controls.  For example, single factor authentication is only appropriate for Authenticator Assurance Level 1 (AAL1, see section 4.1 in 800-63B) which maps to a SP 800-53 Low Baseline.  Many LSST systems, esp. at the base/summit, do not fall under the SP 800-53 Low Baseline if we map LSST security controls to 800-53.  Rather, they fall much closer to SP 800-53 Medium Baseline which recommends AAL2:  Memorized Secret plus Singler Factor OTP Device (i.e. Duo).  This stance will significantly mitigate against attacks using stolen credentials.

      If we assume that LSST will deploy 2-factor authentication in a manner consistent with the NIST security frameworks, we can adopt a password policy that is less onerous than the AURA Password Policy and be assured that we are not increasing LSST’s security risk.

        Attachments

          Issue Links

            Activity

            Hide
            jkantor Jeff Kantor added a comment -

            Per my action item, this needs to go back to the IT Security Team to make a final recommendation and provide a reference to an implementation ticket.

            Show
            jkantor Jeff Kantor added a comment - Per my action item, this needs to go back to the IT Security Team to make a final recommendation and provide a reference to an implementation ticket.
            Hide
            awithers Alexander Withers [X] (Inactive) added a comment -

            This has been implemented on LSST's kerberos realm at NCSA.  This realm will be replicated for LSST's IaM authentication needs (i.e. at the base and summit sites in Chile).

            The Active Directory server in Tuscon is a AURA host and will adhere to AURA's password policy.

            Show
            awithers Alexander Withers [X] (Inactive) added a comment - This has been implemented on LSST's kerberos realm at NCSA.  This realm will be replicated for LSST's IaM authentication needs (i.e. at the base and summit sites in Chile). The Active Directory server in Tuscon is a AURA host and will adhere to AURA's password policy.

              People

              • Assignee:
                awithers Alexander Withers [X] (Inactive)
                Reporter:
                awithers Alexander Withers [X] (Inactive)
                Watchers:
                Alexander Withers [X] (Inactive), Jeff Kantor
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Planned End:

                  Summary Panel