Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Password lifespans at UCL - a training opportunity

by Bridget Kenyon

  • Login to see the comments

  • Be the first to like this

Password lifespans at UCL - a training opportunity

  1. 1. Password lifespans at UCL – A training opportunity Bridget Kenyon CISSP CISM, Global CISO,Thales e-Security 28/11/2017
  2. 2. Password lifespans at UCL A training opportunity Bridget Kenyon CISSP CISM Global CISO, Thales e-Security
  3. 3. Topics • A note on passwords and lifespans • At UCL: The problem- and opportunity! • The idea • The implementation • The outcome
  4. 4. Password lifespans What is the advice?
  5. 5. CESG advice in 2015 https://www.ncsc.gov.uk/articles/problems-forcing-regular- password-expiry • “Regular password expiry is a common requirement... we explicitly advised against it” • “We want administrators to think about alternative, more effective system defences they might implement”
  6. 6. What about the small print? https://www.ncsc.gov.uk/guidance/password-guidance-simplifying- your-approach “...stolen passwords are generally exploited immediately. Long-term illicit use of compromised passwords is better combated by: • monitoring logins to detect unusual use • notifying users with details of attempted logins, successful or unsuccessful; they should report any for which they were not responsible” SciHub?
  7. 7. Password risks • Your computer is hacked and all of your passwords stolen • Your account for a site is hacked by guessing your password • The organisation you’re signing in to gets hacked, exposing everyone’s passwords
  8. 8. UCL in 2012 • An old in-house “single sign-on” system • Many central directories • Many departments using them • Complex, hard to manage, hard to secure
  9. 9. The user experience • Password must be 8 characters long • Must contain upper case, lower case, numbers, some symbols.... • Must change it every 150 days • If forgotten, must call or visit IT
  10. 10. The net result
  11. 11. An opportunity! • Find a commercial package to meet our needs • Didn’t meet our requirements for interoperability • Rewrite our system from the ground up: • Improve security • Longer passwords allowed • Reset via text message • What about lifespan?
  12. 12. Alternatives to lifespan • Block repeat logins • Susceptible to misuse • Alert on unusual behaviour • Define “unusual”... • Notify user of all logins, require them to raise the alarm • How realistic?
  13. 13. Consensus: still a place for password lifespans at UCL
  14. 14. The idea Make password lifespans a learning tool Give stronger passwords longer lifespans Show lifespan when setting a password
  15. 15. How does this work in practice?
  16. 16. The reception so far • Very positive! • Some confusion over maximum length allowed • Despite adding new user accounts from IoE (approx 15,000), no increase in service desk calls for password resets observed.
  17. 17. Thanks for your time! Any questions?
  18. 18. jisc.ac.uk Thankyou Bridget Kenyon Bridget Kenyon CISSP CISM, Global CISO,Thales e-Security 28/11/2017 Password lifespans at UCL – A training opportunity 24

×