Print This Issue

September 23, 2008 , Volume 55, No. 5

Strengthening PennKey: Major New Information Security Initiative Underway

PennKey authentication, first introduced in 2002, has served the Penn community well over the years, but various factors have mandated a stronger approach to authentication for the future. A multi-pronged initiative, led by ISC in consultation with Schools and Centers, is now underway to improve password security and strengthen the authentication mechanisms that protect online applications, services, and information. The new security measures will be phased in during the next year and a half.

Passphrases to Replace PennKey Passwords

For the Penn community at large, the most immediate and far-reaching change will be a change from passwords to what are called passphrases. Passphrases will permit the use of dictionary words rather than requiring combinations of letters, numbers, and special characters, the only option available under the current PennKey password rules. Passphrases will also be longer­—from a minimum of 15 characters to a maximum of 64 characters.

Happily, creating a passphrase will be much easier than creating a shorter, more complex password. For example, the passphrase ‘My son goes to school in Bryn Mawr Pennsylvania’ (with or without spaces between the words) is a lot easier to create than the analogous complex password, Msg2siBM,Pa. Passphrases are also easier to remember, especially for new or infrequent PennKey users. From a security standpoint, it’s been estimated that cracking a 15-character encrypted passphrase takes 23 years vs. 81 days for a 10-character encrypted complex password.

Password changing will be phased in beginning in the early spring. Information on who will be affected and how to change your password will be widely disseminated at that time. In the interim, the current password rules, which do not allow dictionary words in any language to be embedded in a PennKey password, apply.

(Occasional PennKey users are reminded that a PennKey comprises a PennKey username and a password. PennKey usernames are not changing, only the password requirements.  Applications that use PennKey authentication include U@Penn and PennPortal, Online Directory (Penn View and directory profile updating), KnowledgeLink, BEN Reports, AdvisorInTouch, and many others.)

Other Planned Changes

Additional changes include the implementation of a new authentication infrastructure; the introduction of supplementary authorization for sensitive services; the implementation of a mechanism to assist in detecting attempts by unauthorized users to access PennKey-protected applications; and revisions to the process for distributing PennKey Setup Codes. More information about these changes is available on the Strengthening PennKey project page at www.upenn.edu/computing/pennkey/strengthen-pennkey/. Future articles will describe these changes in more detail as well.

Why the Changes?

Since PennKey was implemented, the number, variety, and sophistication of security threats and risks have increased. The likelihood of password theft has increased dramatically.  Frequent and more powerful “brute-force” guessing attacks have made short and weak reusable passwords more vulnerable than ever. The majority of malware, and an estimated 10% of the world’s web sites, now harbor keystroke loggers that can steal passwords on compromised computers. These and other attacks have become more sophisticated and targeted for financial gain. The increased use of mobile devices and the wide availability of wireless access points that are both unsecured and anonymously managed have increased casual and intentional theft of credentials. To effectively address these threats and protect University assets, data, and reputation, a stronger authentication infrastructure that takes advantage of technical advances in protection and detection is required.

Penn must also position itself for the future. The viability of reusable passwords is coming to an end, so it’s essential for Penn to be able to strengthen and supplement reusable passwords. There is also a rapidly growing demand for managed access to Penn systems and data by large numbers of geographically remote and more loosely-affiliated constituencies, such as admitted students, worldwide alumni, etc. Their identity is harder and/or costlier to verify than that of faculty, staff and students living and working on campus. Finally, with the increase in institutional collaboration and state and federal E-Government initiatives, Penn’s authentication infrastructure must be able to support federated identity management with other institutions.

Next Steps

We all learn in the media of security breaches in both large and small organizations. Penn is working to strengthen our defenses to minimize the risk to each of us and to the University. Though change is sometimes uncomfortable, we know that you understand the complexities of securing sensitive and confidential information, and we appreciate your support as we move forward to the next generation of PennKey security.

Project updates and other information about these changes will be broadly disseminated via University publications and other communications vehicles. If you have immediate questions or concerns about the project, please send them to the project team at strengthen-pennkey@lists.upenn.edu or consult the project web page at www.upenn.edu/computing/pennkey/strengthen-pennkey/.

—Robin Beck, Vice President, Information Systems & Computing



Almanac - September 23, 2008, Volume 55, No. 5