Secrets of the edu-ID passwords

Since a few months now, edu-ID users  can secure their account with multi-factor authentication (Two-Step Login). However, currently 99.5% of all edu-ID accounts still rely exclusively on username and password authentication. It is unlikely to quickly change soon in the near future, despite the death of the password has been announced time and time again. The password remains the easiest, best known and – in many cases – the cheapest authentication solution. Therefore, the edu-ID team invests a lot of effort into assisting users to choose a strong password and to store it securely.

Never use same password twice

Storing user information and credentials of thousands of users comes with the risk of losing this data in case unauthorized persons get access to it. In case password credentials are stolen, the situation would even be more disastrous. Users often choose the same password for their Zalando account as well as for their Amazon, Paypal and their online banking account. Because it’s easy and they have to remember only a single password. If an attacker can somehow retrieve the clear text password of one service, he may be able to log in on services and cause this user serious financial and other damage.

Protecting the password

To minimize the likelihood of this horror scenario for edu-ID we take security very serious. We had for example a specialized security company perform a penetration test on edu-ID, which helped us to further improve the overall security of edu-ID. When it comes to protecting passwords for the above-mentioned worst case scenario our goal is to make it very hard for an attacker. Of course we don’t store passwords in clear text but only as hashed value. Currently, we store passwords as salted SHA-512 hash value with 5000 iterations. Because the hashes are salted, no password rainbow table can be used to retrieve the clear text passwords. Thanks to 5000 iterations brute-force guessing is slowed down and becomes time and energy consuming.

Choosing passwords wisely

Using a strong hashing algorithm for passwords does not help much if the password itself is weak (e.g. “12345678”). Therefore, we also ensure that users chose a sufficiently strong password. What does this mean?
To start with, we ensure that all passwords are at least 10 characters long. Depending on the length and the types of characters (lowercase, uppercase, number, symbols) we use a heuristic rating algorithm to indicate the password strength while the user enters a new password. Almost all characters can be used in a password – even emoticons like 😀 😏 🤓 work. For those not yet using a password manager or not creative enough to think of a good password on their own, a set of random-generated strong password suggestions are shown.


Rejecting compromised passwords

Since 2018 all new passwords are also checked securely – and without revealing them – against Troy Hunt’s Powned Passwords database. This database is constantly updated and currently contains more than 550 Million leaked passwords. Using a leaked password is a high risk because attackers are likely to use these leaked passwords as a starting point for brute-force attacks. Therefore, we prevent such passwords from being used. Despite the password strength indicator the edu-ID web interface still rejects about 15% of all passwords because they are either too weak or because they are leaked passwords.

Complying with NIST recommendations

The above-mentioned features to protect user passwords and to ensure that they are chosen wisely are also covered by the US National Institute of Standards and Technology (NIST) in their “Digital Identity Guidelines” (June 2017). The recommendations in the section about memorized-secrets were used to design the edu-ID processes and characteristics involving the edu-ID password. For technical or practical reasons we deviated from the suggestions in very few points. But overall, the edu-ID is meeting or even exceeding the NIST password recommendations and we don’t plan to stop here.
The edu-ID password policy provides a more brief overview about the NIST recommendations as well as helpful recommendations for end users.

To secure passwords also for services beyond than SWITCH edu-ID, we recommend you to have a look at the Stop. Think. Connect. awareness campaign that provides useful Internet security recommendations to end-users and warns about current threats. However, if you want to increase your edu-ID account’s security considerably with little effort, we still strongly recommend to enable the Two-Step Login (multi-factor authentication).

Author: Lukas Hämmerle

I'm a member of the SWITCHaai team and the SWITCH edu-ID team.

Leave a Reply

%d bloggers like this: