How have you implemented password policies and management?

[Jeremiah Garmatter]

Hello,

I am looking for some general information on password policies and management.

I am wondering how others have implemented LDAP password expiration warnings on their CAS installments (hoping for advice on CAS 6.2, but any advice is good). Do you use your LDAP provider's password policy? Notifications to email or phone? Intercept attributes with custom scripts? Change the login webflow in some way?

How have you had success warning users that their password will expire soon (or already has expired) and guiding them to reset their passwords? Would you recommend any CAS features over others for password policies and management? Also, what size organization are you? I work at a relatively small university (~4000 students).

[Elijah Gagne]

I'm at a college of a comparable size. A few years ago, we removed the requirement for users to change their password. I would check out https://pages.nist.gov/800-63-FAQ/#q-b05. 

Regards,

EWG

[Poddar, Amit]

Hi,

It is true that asking people to regularly change passwords and enforcing naive password complexity requirements like ad-hoc character mixture requirements does the exact opposite of people choosing passwords that meet those requirements but are easy to guess.

Generally accepted best practice is to enforce a simple password complexity requirement that mostly entails

• Password Length (>8)
• Make sure the password is not easily guessable (to avoid password spray attack)

and to enforce a comprehensive and secure multi-factor authentication.

Thanks,

Amit

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Elijah Gagne <elijah....@dartmouth.edu>
Sent: Friday, August 28, 2020 11:32 PM
To: CAS Community <cas-...@apereo.org>
Cc: j-gar...@onu.edu <j-gar...@onu.edu>
Subject: [cas-user] Re: How have you implemented password policies and management?

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/33e23fe8-5d91-4dc6-aa81-fb510be108bdn%40apereo.org.

[Jeremiah Garmatter]

Thank you for the information,

I never thought about it like that. Basically, since they have to change their passwords every X days, you're saying that people will choose similar enough passwords that becomes predictable to others over time? The longer a password lasts, the more secure people are likely to make it. The question below it (Q-B06) is also interesting to me. I'd have to go through a few layers to get changes like that made across campus but I think many people would benefit from it. That seems like more of a long term change to me, but good to know, thank you for that.

I am wondering if anyone has had luck implementing some sort of password warning system into CAS though?

-Jeremiah Garmatter, Systems Administrator

-Ohio Northern University, Class of 2020

-Work: 419-772-1074 Cell: 419-672-8685

-j-gar...@onu.edu