A consortium of colleges and universities is promoting increased IT security through strong passwords. Many organizations have moved away from single passwords in favor of multifactor authentication, including biometric identifiers and physical tokens. Organizers of this new initiative instead contend that a single, strong password is more effective in protecting the online data and IT systems that higher education increasingly relies on.
The group has begun developing and testing a standard for strong passwords. When implemented, the new standard will include the following requirements:
- Passwords must be exactly 26 characters, 13 of which are letters and 13 are special characters. Numbers are not allowed.
- Passwords cannot be pronounceable.
- Password letters cannot include any of the letters in the user’s first or last names or middle initial.
- Letters included in a user’s passwords cannot be either alphabetically consecutive or adjacent to one another on a QWERTY keyboard.
- Passwords can never be reused, and each successive password must use entirely different letters and special characters from the previous passwords.
- Passwords must be unique—no two users can have the same password.
- Passwords expire every 13 days.
When adopted, the standards will apply to all IT systems operated by participating organizations. Moreover, the group rejects single sign-on in favor of multi-sign-on (MSO), meaning that every IT system a user accesses will require a different strong password. According to one of the organizers of this effort, “Just because the systems you use can easily pass data back and forth—and can share your data with third parties—doesn’t mean you should be able to access all of your data with just one password.” Indeed, among members of the IT security community, the nightmare scenario is one in which a bad actor obtains the sticky note where you’ve written your password and then—thanks to single sign-on—is able to access a host of IT systems and can move money out of your bank accounts, register for classes that you don’t need for your degree, and put library books on hold that you don’t want to read. By requiring MSO, this new initiative shields IT systems from illicit access via a single system.
Users who mis-enter their password one time will be locked out. The new standard will also do away with security questions. No longer will people struggle to remember the name of their best friend’s dog from middle school or the color of the seats in their first car. Under the new system, users who forget a password or are locked out will be required to set up a new account, and any information previously held in that system will be forfeited by the user, though other IT systems will still be able to access it.
When a noted chief information security officer (CISO) and member of the Higher Education Information Security Council (HEISC) was asked about this new standard, she simply said, “Wow.”
The group, which calls itself the Association for Password Restrengthening in Learning, expects to release the first draft of its standard—dubbed the APRiL 1.0 specification—later this year.
This article is part of EDUCAUSE Special Coverage for April 2017.
Copyright: © 2017 EDUCAUSE. The text of this article is licensed under the Creative Commons BY-NC-ND 4.0 International License.