[http-auth] password security and entropy - BCP needed
Jonathan Stoke <jstoke@wgu.edu> Sun, 10 November 2013 17:14 UTC
Return-Path: <jstoke@wgu.edu>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B55C11E8147 for <http-auth@ietfa.amsl.com>; Sun, 10 Nov 2013 09:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 125Cux6T-WgJ for <http-auth@ietfa.amsl.com>; Sun, 10 Nov 2013 09:14:33 -0800 (PST)
Received: from mail-la0-f50.google.com (mail-la0-f50.google.com [209.85.215.50]) by ietfa.amsl.com (Postfix) with ESMTP id 67CDF11E80F8 for <http-auth@ietf.org>; Sun, 10 Nov 2013 09:14:32 -0800 (PST)
Received: by mail-la0-f50.google.com with SMTP id eo20so3239685lab.23 for <http-auth@ietf.org>; Sun, 10 Nov 2013 09:14:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:date:message-id:subject :from:to:content-type; bh=M9VTt5RgFZOe323AKfyZW9JYx+H4EcGzSdLxqJi0twk=; b=OwEAACluJG4VPyRjsrx67bnlVjkgtlWgUUrqMzS9l2wNbvACVZfl3mtmPNnSRCEVck /VB+99qJUdwHCaCHd86Cemq7uMkNNLp31sFiSijK0WVAlw/ORMkPQqZr317ta36d5NQ0 rgYgmxFuCLx8VfKrdWgSa9jkRZes1gtFJ6htRW1+o/xvJ6j814gtmpB8PmaiiHH2Q/3Q QPmkKkpj1Pw/rkDqyACvXcwC1FIsRghfBUXe2mSyFKcooLWDS0lERB755Mta3viARFIw RM4C9Ke4dGT3Smloae3ST0lH2DS14UaJqHeDwpK+8QMHWrfy/Kva7UipQCIUmzJsy9mp 9RBw==
X-Gm-Message-State: ALoCoQlpm8w43GEubX2K7/UPmUYz/w/Ch132t5haRimoejcX6nB3TNR6+iF7pj8DkmiNF9PrgRZC
MIME-Version: 1.0
X-Received: by 10.112.89.232 with SMTP id br8mr18797285lbb.20.1384103671237; Sun, 10 Nov 2013 09:14:31 -0800 (PST)
Received: by 10.114.182.166 with HTTP; Sun, 10 Nov 2013 09:14:31 -0800 (PST)
Date: Sun, 10 Nov 2013 10:14:31 -0700
Message-ID: <CAGG-TiaVHgL8Kp_8RLB6BZ3Yq-scgQugU0UUfrrXYb_On56Sdg@mail.gmail.com>
From: Jonathan Stoke <jstoke@wgu.edu>
To: http-auth@ietf.org
Content-Type: multipart/alternative; boundary="001a11c36f44a81bfd04ead5bff4"
Subject: [http-auth] password security and entropy - BCP needed
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: jstoke@my.wgu.edu
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2013 17:17:22 -0000
Internet-Draft J. STOKE Request for Comments: nnnn March 2013 Intended Status: Proposed Standard BCP for Password-based Authentication File Name: draft-ietf-httpauth-stoke-password-policy-00.txt Expiration Date: January 9, 2014 Abstract There is no BCP for password-based authentication on the Internet. This form of authentication is common and prevalent. A BCP statement is long overdue, and it will require a paradigm shift on the part of the IETF to accomplish the goal. The first necessary step will be to arrive at a consensus that the goal must be accomplished and that the proper venue is the IETF. Status of this Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. STOKE Internet-Draft [page 1] RFC nnnn BCP for Password-based Authentication March 2013 1. Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. "Username" means an ASCII string unique to one individual entity per realm. "Password" means an ASCII string associated to a username intended as a secret authentication factor known only to the authority performing credential-based authentication and the authorized user for whom it serves as a credential for authentication. 2. Introduction Historically Internet standards have generally been concerned with the technical specifications for hardware and software required for computer communication across interconnected networks. However, since the Internet itself is composed of networks operated by a great variety of organizations, with diverse goals and rules, good user service requires that the operators and administrators of the Internet follow some common guidelines for policies and operations. The lack of standards, policy, or guidelines regarding password-based authentication has resulted in widely varying and often incompatible or conflicting rule sets to which Internet users are expected to adapt. The limitations of human memory are well recognized as a result of many published studies. The rapid increase in the number of sites requiring passwords coupled with the admonitions to change passwords frequently and to use a unique password for every website now exceeds the design limitations of the average human user of the Internet. A BCP can help resolve this by providing certainty for Internet users, software designers, and site administrators. 3. Proposed Framework In order for an authentication portal to claim compliance with this RFC the following minimum requirements MUST be attained. Nothing in this RFC is intended to preclude any other schemes or policies. The permitted character set MUST include the numbers 0-9 (ASCII 48-57 decimal), capital A-Z (ASCII 65-90 decimal), lower case a-z (ASCII 97-122 decimal), and the symbols on a standard keyboard appearing above the numbers 0-9, !@#$%^&*(), (ASCII 33, 64, 35, 36, 37, 94, 38, 42, 40, 41 decimal). The prohibited character set MUST include the period (ASCII 46 decimal) and the comma (ASCII 44 decimal). STOKE Internet-Draft [page 2] RFC nnnn BCP for Password-based Authentication March 2013 The user MUST be permitted to select their username-password credential pair. By this it is meant that the username MUST be selected by the user and not assigned by the site administrator, or if a default for either the username and/or the password is assigned, then the user MUST have the option to modify either or both. The user MUST have the option to register a notification address, such as an email address or text-capable device, with the authentication portal administrator. The user MUST be permitted to update either the username, or the password, or both, at any time and all changes MUST be reported to the registered notification address. The user MUST NOT be required to update either the username, or the password, or both; except in the case when an initial, default username and/or password is assigned. The user MUST be afforded a mechanism by which to report a compromised account and such reports MUST be addressed in less than one business day. The user MUST have the option of a secure logon using https links secured by sites offering credentials signed by a recognized Certification Authority (CA) using the latest secure methods for accessing a web site (which at present is the latest version of TLS [RFC5246]). The user's credentials stored in a database MUST be adequately secured with encryption equivalent to or stronger than 128-bit AES encryption and strong access controls. The user's credentials MUST be protected against brute force attack by implementation of a failed login policy and that policy MUST NOT divulge information useful to an attacker (e.g. the message MUST NOT state "username does not exist"). The user MUST be informed of the credential requirements, including minimum length, maximum length, and permitted character set. The user MUST be informed if access to the single account is granted to more than one credential pair, and MUST be informed whenever more than one credential pair is valid for access to the account. The user MUST be informed of any available forgotten password reset mechanisms, and MUST NOT be required to enable or configure a reset mechanism. STOKE Internet-Draft [page 3] RFC nnnn BCP for Password-based Authentication March 2013 4. Discussion The purpose of this RFC is to focus discussion on the issue of a lack of defining standards for password-based authentication on the Internet. No proposed solutions in this document are intended as standards for the Internet. Rather, it is hoped that a general consensus will emerge as to the appropriate policy, leading eventually to the adoption of a BCP. For instance, the discussion of what symbols from the ASCII character set will be part of the standard permitted symbols for use would consider security in determining if a period or a comma would be permitted. These characters are often used in scripting, and script injection attacks would be diminished if these characters were not permitted. On the other hand, if these characters were permitted, and Internet users were aware of this fact as part of a BCP, then the user would have a larger character set from which to create passwords thus significantly increasing security. Discussion will eventually need to take place for internationalization of a BCP document. To become a BCP, a consensus would need to emerge concerning such details as a minimum password length, a minimum encryption standard for protection of the credential database, and the failed logon lockout policy, to name just a few key decisions. Complex decisions, such as inclusion or exclusion of unprintable control characters (ASCII 0 through 31 and 127 decimal) and the nonprinting space character (ASCII 32 decimal) will require consideration and discussion. Definitions will need to be standardized, beginning with definitions for "username" and "password". This proposed framework resembles a statement of user rights and responsibilities. It digresses from the paradigm that users must be protected from themselves, and instead moves toward the paradigm that users shall be given adequate information to make and implement informed decisions. The crucial hurdle that must be overcome, however, is that of requiring a paradigm shift on the part of the IETF. The IETF has thus far avoided this difficult issue for reasons apparently based in tradition and history rather than logic and need. 5. Interest This RFC is being distributed to members of the Internet community in order to solicit their reactions to the proposals contained in it. While the issues discussed may not be directly relevant to the research problems of the Internet, they may be interesting to a number of researchers and implementers. STOKE Internet-Draft [page 4] RFC nnnn BCP for Password-based Authentication March 2013 6. Security Considerations The entire purpose and focus of this BCP is to foster and enhance a secure environment for internet users dependent upon credential-based authentication. 7. IANA Considerations IANA considerations are truly believed to be irrelevant to this document. 8. References 8.1. Normative References [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. 8.2. Informative References [ISO10646] International Organization for Standardization, "Information Technology -- Universal Multiple- Octet Coded Character Set (UCS)", ISO/ IEC 10646:2003, December 2003. [US-ASCII] American National Standards Institute, "Coded Character Set -- 7-bit American Standard Code for Information Interchange", ANSI X3.4-1968, 1968. [Unicode] The Unicode Consortium, "The Unicode Standard, Version 5.0", 2006. (Addison-Wesley, 2006. ISBN 0-321-48091-0). [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC1704] Haller, N. & R. Atkinson, "On Internet Authentication", RFC 1704, October 1994. [FIPS197] National Bureau of Standards, "Advanced Encryption Standard", Federal Information Processing Printing Office, Washington, DC, November 2001. STOKE Internet-Draft [page 5] RFC nnnn BCP for Password-based Authentication March 2013 Author's Address jonathan stoke 4608 E. Baytree Court Boise, ID 83716 Phone: 208-344-4805 Email: jstoke@my.wgu.edu File Name: draft-ietf-httpauth-stoke-password-policy-00.txt Expiration Date: January 9, 2014 STOKE Internet-Draft [page 6]
- [http-auth] password security and entropy - BCP n… Jonathan Stoke
- Re: [http-auth] password security and entropy - B… Ilari Liusvaara