ADTF 2016 10 05
Password Policy Complexity/Reset Portal Update
Password presentation - Rich Johnson
Google Auth vs. AD/kerberos
Web authentication against AD
Password length and increased need for two factor auth
Status of joining workstations to AD
mark, simonw, rwallis, bruckerd, ogg, carheden, dattilo, chartier, rjohnson, sandoval, kimn, rjbubon, estradar, tarrant, hoekstra, buss (remote), erinmcd (remote), hharris, jlampe
Will work in some topics from last meeting as we go.
Ramsey on password policy/reset. Scheduled to go live soon. Notifications going to all staff on 10th, turning on 17th. Won’t affect existing passwords, will apply to newly set passwords. Rules: minimum of 9 characters, alpha upper/lower/number/special, requirements relaxed after 15 characters. Rules listed on password portal. Dictionary checking. Garth asks whether this will or won’t override “password never expires” setting in domain. Should check. Ramsey previews announcements – working with Communications. Will emphasize that people should enroll so they can reset in the future. (Would still be able to do standard password change w/o enrollment, but not reset a forgotten/lost password.) Security questions include simple numbers to which any text can be entered. Issue of needing non-UCAR email address to receive reset codes. Some scientists and others will not have a non-UCAR address. Discussion of messaging. Will get pushback from some if framed as a requirement. General agreement. Discussion of password generators. ACOM has a page that does that.
Demo of documentation for portal, including FAQ. Can be used to unlock account (which is rare). Discussion of how to handle offsite users. Make them active, move out of Disabled OU.
Rich with password presentation. (E-mailed to ADTF.)
Discussion of password length vs 2FA. Would like to enable people to use tokens when length requirements get longer. Everyone agrees on that. Q: What is the safety record of UCAS passwords? A: We think it’s pretty good – most recent losses of account control have been due to phishing. But there are some we’re not sure about.
Brief IAM update. Are there hard dates for cutover? No. Google Apps and Time Card likely to go first, successful testing. Will be 2-3 months, shouldn’t be 6-12 months. Will testing include mobile devices? It will have to.
Google AuthN vs AD/Kerberos. Maintain awareness of audiences for authentication.
Web authN against AD. Many possibilities; should we all “pull in the same direction”? mod_auth_krb? Other options? Discussion. Think about it.
Status of workstation join? Reach out if you need help!
Wrapped at 11:32.