How not to implement password authentication

We use a software for employee self-service (ESS), e.g., for requesting remuneration of travel expenses at the college. It is web-based, allows to retrieve and modify personal information, and offers an interface to create and handle workflow items. Access to the system is protected, i.e., users have to authenticate themselves against the server.  Authentication is done by providing a user name and a password.

The user name is fixed, i.e. cannot be changed by the user, it is different from the user name used for authentication in the college network, it contains a part that probably is a code for the institution, but is not used elsewhere (not by me, at least). Instead of „first Name“ + „first letter of last name“ (network user name), I have to use „four digits“ + „two first letters of forst name“ + „two first letters of last name“. Not so intuitive, at the very least. I made a note in Outlook to remember this user name.

The password can be changed, as long as the new password adheres to the password rules of the ESS system – which are different than those used for access to network ressources at the college. The rules are even different from all other services I use for which password authentication is required. That means, I am not able to reuse any (hard to guess) password that I use for another service. I need to find and remember a password that complies with the following rules:

  1. The password is exactly 8 characters long. Exactly 8, more characters are not allowed.
  2. The password contains at least one letter („a“..“z“, „A“..“Z“ – not sure if Norwegian characters æ/ø/å are allowed; I try to keep my passwords such that they can be entered on all common keyboards).
  3. The password contains at least one digit.
  4. The password contains at least one special character („.“, „,“, „-„, „_“ and the like)

Of all the passwords I had used in my previous life, none fulfilled all requirements. They either contained too little variation or they were longer than 8 characters. I had to come up with a unique password (and save it as a note in Outlook).

What bothers me is the password recovery feature. Instead of remembering the password, you can enter your user name, click on „I forgot my password“, and get a new temporary password sent to your email account. The email account in my case does not require additional authentication once I am logged on at my machine at the office. Why do the system designers/operators make me go through the process of finding a unique password when I can skip remembering by using a fallback mechanism?

Where is the positive side? What can be done better in the future?

Shared authentication would be a good first step. ESS will finally be supporting FEIDE (felles id – shared ID), i.e., user name and password for network access could also be used for logging onto ESS. However, our IT department declined to do so. They pointed out that shared authentication would introduce some requirements to the password rules applied to the almost 3,000 existing accounts here at the college. In addition to our passwords being exact 8 characters long and in addition to the abovementioned variation in character types, passwords would need to be changed after at most 120 days, i.e., at least three times per year. I would not be able to reuse the five preceding old passwords. My account would need to be locked after six failed attempts to log on and would be unlocked only by an administrator. Our administrators close shop at 15:30 hrs. So, while I am not happy with the prospect of not having shared autentication between our network and ESS, I do understand why the college is not going to support it.

Even better would be real single sign on. I authenticate every morning and our IT department is able to bind my user name to the IP address they assign to my machine. Hence, it should be possible to grant access to systems based on the IP address I use. Publishers already do this when they open their digital libraries for use by anyone with an IP address in our college network (although for a hefty subscription fee).

We educate computer scientists, information security specialists, system administrators, we like to see ourselves as a college with a high technological competence. Why in the world do we need to live with bad IT systems?

About Author: Hanno Langweg

Comments are closed.