OCR of the Document

View the Document >>

Office of the Director of National Intelligence, ICS Password Management: Policy Background Briefing, May 4, 2010. Confidential.

0 ° t 11 an1 • ITI I I '-''-'' oUC l'I I l L App roved for release by ODNI on 03-18-2016 FOIA Case #DF-201 5-001 00 DRAFT DELIBERATIVE PRE DECISIONAL ' I I ' I r ' l U ' I INFORMATION I NTEGRATION MANAGEMENT ICS Password Management Policy Background Briefing D D D D Office of the Director of National Intelligence ICS Password Management History Background • ICS Password Management establishes criteria for managing all passwords used on any IC IT resource • No community consensus • Recommendation for CIO Council to resolve • Outstanding Issues - Minimum password length 8 or 12 characters Maximum password age 180 or 60 days Office of the Director of National Intelligence DRAFT DELIBERATPJE PRE DECISIONAL eeNRDENTIAL fOr talease by ODNI on 03-18-2016 FOIA Case #OF-2015-00100 Comments Received b 1 b 5 Agency I Forum Comments Office of the Director of National Intelligence 3 by ODNI on 03-18-2016 FOIA Case #DF-2015-00100 Issue 1 Minimum Password Length • Alternative A 8 characters - Pros Easier to remember - Cons Easier to guess brute-force attack Not consistent with FDCC • Alternative B 12 characters - Pros Harder to guess brute-force attack Consistent with FDCC Cons Difficult to remember Office of the Director of National Intelligence 4 J1llease by ODNI on 03-18-2016 FOIA Case #DF-2015-00100 Issue 1 Minimum Password Length I ---------Minimum Password Length Current Draft FD CC 8 characters 12 characters PL Password Length CS Character Set Password Cracking based on 3 CS PL 8 cs 94 0 001 days roughly a minute and half PL 12 cs 94 18 671 days #of Password Combinations CS A PL 6 095 689 385 410 816 475 920 314 814 253 376 475 136 Source SANS Institute http blogs sans orglwindows-security 2009 06 12 how-to-crgck-a-pgssword-sgreadsheet Office of the Director of National Intelligence DRAFTJDl LISERATIVEYPRE DECISIONAL OONFIDENTIAt 5 release by ODNI on 03-18-2016 FOIA Case #DF-201 5-00100 Issue 2 Maximum Password Age • Alternative A 180 days - Pros Easier for users - Cons Not consistent with FDCC • Alternative B 60 days Pros Consistent with FDCC - Cons Annoying to users Higher support costs i e Help Desk b 1 b 5 Current I FDCC Draft Maximum Password Age 180 days 60 days Office of the Director of National Intelligence DFV FT DELIBERATl E PRE DEc IONAl CONF'IOl JTIAL 6 fOr release by ODNI on 03-18-2016 FOIA Case #DF-201 5-00100 Comparison Summary b 1 5 Draft ICS 500-16 I FDCC Password Length I 12 I 12 Password Age I 180 days I 60 days Password Requirements I 3of4 character classes 3 of 4 character classes Password reuse Office of the Director of National Intelligence E AFl'fDELIBERATIVEi'PRE•D EG I S I ONAL CO I FID i HIAt- 7 release by OONI on 03-18-2016 FOIA case#OF-2015-00100 ICS Password Management • Recommendation Office of the Director of National Intelligence DRAFT DELIBERATl i'GPRt-eEGISIONAL 8