Account Management System

Account Management System James Crowley

AMS: What Does it Do? • Password synchronization • Password
reset • Password expiration

Shouldn't that be 'Password Management System'? • Originally designed for
alumni opt-in (gmail) • Manages account access • Could add more features in the future

AMS in Two Pieces - Front End • Standalone web
application • Authenticates to AD ◦ Or google for gmail-only accounts • Provides functionality to user ◦ Password change/sync ◦ Password reset options ◦ Password reset

AMS in Two Pieces - Front End AMS AD Google
(AMS DB)

Front End - Note About Accounts • No such thing
as an AMS 'account' ◦ Database entry used to record info ▪ reset options ▪ expiration ◦ If not present when user first logs in, one will be created at that time

AMS in Two Pieces - Back End • Various actions,
initiated through several different interfaces (AMS, it-tools, cron) ◦ Performs password sync ◦ Issues and verifies reset codes ◦ Sends password expiration notices ◦ Enforces password expiration

AMS in Two Pieces - Back End AMS Back End
Netware GWDM3 AD SunAdmi n Google (AMS DB) it-tools cron AMS Front End mailhub twilio

Password Sync • Active Directory is considered authority ◦ If
pass can't be synced to AD, we will not sync to other servers • Everytime the user provides their password ◦ Validate against other servers ◦ Attempt to resync upon failure

Password Policy • Minimum eight characters • 10,000 password blacklist
(most are too short anyway) • Entropy rating to encourage reasonably strong passwords

What Do We Send? • Plaintext to AD, GWDM3, Netware
(ssl) • Sha1 hash to Google • Blowfish hash to Sun Admin

What Do We Store? • Blowfish hash, random salt, 1024
rounds ◦ This is how we prevent passwords from being re- used ◦ This also allows us to re-sync to Sun Admin without user intervention

No Re-Sync for Normal Accounts. • Would require storing plaintext
and/or weakly hashed passwords • Can only resync when user provides plaintext

Password Reset • Send code to alternate email or SMS
◦ Random shuffle of lowercase letters - (a,e,i,o,u,y,l), first 5 characters ◦ Code valid for 12 minutes, with a 2 minute penalty for each failed attempt ◦ Also limit codes sent to 4 per hour

Password Reset • Also support challenge questions ◦ Somewhat hidden
(intentionally) to dissuade users from using this option ◦ It's working (only 10 have set up questions)

Password Expiration • Enforced for active students, staff, faculty •
Expiration every ◦ 185 days for user-initiated changes ◦ 35 days for newly created users ◦ 13 days for password resets • Email warnings at 14, 7, and 2 days • Expirations are enforced by pushing randomized pass to all servers

Stats Users in new system 3240 (57%) Set up password
recovery option 1517 (27%) Set up password recovery questions 10

Questions?

Account Management System

Account Management System

Jim Crowley

Other Decks in Education

Featured

Transcript

Account Management System James Crowley

AMS: What Does it Do? • Password synchronization • Password

Shouldn't that be 'Password Management System'? • Originally designed for

AMS in Two Pieces - Front End • Standalone web

AMS in Two Pieces - Front End AMS AD Google

Front End - Note About Accounts • No such thing

AMS in Two Pieces - Back End • Various actions,

AMS in Two Pieces - Back End AMS Back End

Password Sync • Active Directory is considered authority ◦ If

Password Policy • Minimum eight characters • 10,000 password blacklist

What Do We Send? • Plaintext to AD, GWDM3, Netware

What Do We Store? • Blowfish hash, random salt, 1024

No Re-Sync for Normal Accounts. • Would require storing plaintext

Password Reset • Send code to alternate email or SMS

Password Reset • Also support challenge questions ◦ Somewhat hidden

Password Expiration • Enforced for active students, staff, faculty •

Stats Users in new system 3240 (57%) Set up password

Questions?