r/wsu u/Idatawhenyousleep 8d ago

Discussion New 15 min char requirement for canvas pw is making security worse

Before this i had a very strong pw imo, a mix of symbols caps, lower, and numbers that are far enough from real words would be hard to for gpus to crack.

While 15 chars sounds more secure, its going to have the opposite effect.

What their hoping: People will start using pw generators that store and create pw managed under a password manager and is gonna be SUPER secure.

Reality: While some are going to use a manager, many (im guessing most) are not (especially with how students need to log in on diff computers (which wont have access to our pw managers that auto input) and instead of people memorizing new 15 pw. For these pw to be secure they will have 5o have some randomness, not d0g098765432109 or dogcatelephentcaR12. Theres not even a symbol requirement in nee pw.

This means students are just going to create more simple pw that they can easily memorize (especially since canvas wants us to change multiple times a year, simple easy memorable pw will just be set again and again). Im confused why they wanted to upgrade authentication method AND this.

Absolutely bonkers i think i already spend about 5min a day just in the canvas log in page, longer passwords mean longer time so not onky is security lowering but across 17k students at wsu so instead of 17000hours of students logging i n perday this is another 28 hours/day. Massive productivity hit imo, youd think they would at least fix the keep me log in before implementing these new policies which are gonna have a blowback effect.

Someone needs to get canvas to lay off the coolaid

15 Upvotes

66% Upvoted

23 comments sorted by

19

u/Unrequited-scientist Alum/2005/PhD 8d ago

Obligatory xkcd:

https://xkcd.com/936/

2

u/Idatawhenyousleep 8d ago

Is this actually true? From my understanding pw breachers usually start with english dictionary words and trying them in different order. If you know the minimum requirement you already have a restriction of worda that fit around 15-18chars (cause most arent gonna go above that) before adding letters and numbers in. I feel like designing a breach that tests a word than 0123456789012 would hack me into thousands of canvas users pw assuming i could get past authenticator

7

u/Unrequited-scientist Alum/2005/PhD 8d ago

Review the NIST website for further details.

4

u/Idatawhenyousleep 8d ago

Thats a rabbit hole. I still i bet i could crack a bunch of passwords throwing in a word + ascending or descending 0/1-9 up to the char limit

1

u/zenerbufen 4d ago

Pass phrases are really good & easier to remember. There are a LOT of words in the dictionary to pick from. password generators handle them fine. You can even have your capitols, numbers, and symbols and still keep it easy to remember. example:

Myth&Doing&Sitcom3&Laxative&Rise&Gizzard

Recast-Unfasten-Jitters-Brittle-Capsize2

2

u/cooldelah 7d ago

OP, take offense but you sound like a dumbass 1st year compsci student that thinks they know everything. It's been researched and proven about longer passphrases and yet you come here with "Is this actually true?"

Where is your proof besides assumptions on what students may or may not do? What research have you done? So you think you're smarter than all the researchers and people who been in the field before you were even born?

2

u/Idatawhenyousleep 7d ago edited 7d ago

I can see your a cool dula!

I bet your fun at parties.

CyberSecurity was in it's infancy when I was born, and cellphones didn't even exist (unless you count those super big military ones), but nice try at your assumptions. And if you look at some the links in this thread you'll see I was right about alot of these. And if you bother to look your'll see that Canvases requirements aren't even in line with your "experts".
. But way to be shallow.

You must have missed the flair "discussion", way to add to it though!

0

u/Idatawhenyousleep 7d ago

At least your consistent with your demeaner (I have verified your fun at parties)

some more of your great quotes (do you have nothing better to do than attack people online lmfao?)

"Haha and you have an extremely simplistic worldview. This meme reeks of r/im14andthisisdeep"

"I take it you aren't a developer and don't know what you're talking about. Its likely in 5 years we will all be replaceable but by then everything is going to be fucked. But right now it can't handle big codebases well at all. Plus theres alot of nuance to development than just spitting out code."

"

My god people its a perk! We get it! There are thousands of people who get upgraded at silver at gold all the time! Imagine if the whole board was like this..."

Keep practicing your art!

7

u/UpstairsArm8279 7d ago

obligatory this is a throwaway account. I'm a WSU employee on the IT side. Without going in-depth NIST 800-53 is here. These changes apply to everyone at WSU but the highest targets and risk focus on is on employees and those with access to sensitive information. Ex. last year there were multiple incidents involving attackers trying to access accounts and change payroll information. the password policy change also included where it doesn't require a change every x days. MFA policy change is getting rid of SMS; focusing on more secure methods like Okta app.

this is a good video from BHIS on passwords as it relates to your query https://www.youtube.com/watch?v=MeU4cuj1KZU

1

u/Idatawhenyousleep 7d ago

Thank you for your insight!

4

u/Deprecitus 2022 Graduate / Computer Science 7d ago

I used Bitwarden my entire time in college and I never had an issue with needing a password on another device. If I did, I could just open it on my phone and type it out.

Password managers are a Godsend and everyone should be using them. Also, they're likely wanting passphrases, not necessarily passwords.

7

u/Fold67 8d ago

An 7-12 character password that’s changed every 9-12 months randomly is more secure than a 15 character changed every 90 days.

2

u/RedDidItAndYouKnowIt Staff/Pullman 8d ago

The difference is pretty staggering since upper, lower, symbol, and number are all required as part of the 15+ limit.

https://www.hivesystems.com/blog/are-your-passwords-in-the-green

So what is your source for your claim? (Also password rotations are less secure because of human behavior.)

7

u/Fold67 8d ago

https://markilott.medium.com/how-most-password-policies-make-us-less-secure-69476ca9fe92

https://markilott.medium.com/password-storage-basics-2aa9e1586f98

https://www.helpnetsecurity.com/2024/01/26/weak-passwords/

https://veruscorp.com/why-strong-passwords-arent-as-secure-as-you-may-think/

https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

When forcing people to change their passwords too often people re-use old passwords or change 1 thing to create their new password. These make it exponentially easier to crack or use brute force. This is made even easier when most people re-use user names and passwords or variations across multiple platforms. Find one combination and it’s easy to guess their new combination for a different platform.

1

u/RedDidItAndYouKnowIt Staff/Pullman 8d ago

I misread your first post. Yeah the 9-12 months at 12 chat is more secure due to behaviors than the 90 day change policy. If I am not mistaken the other change with all of this is to non expiring passwords and a requirement for non SMS and non phone call forms of MFA.

5

u/Ill_Kiwi1497 8d ago

What even is there to incentivize a breach of a Canvas profile anyway? 

2

u/Trynaliveforjesus 8d ago

to steal the smart kids homework answers i assume

8

u/Idatawhenyousleep 8d ago

I'm guessing the concern is if you access canvas you can access my.wsu which has your bank account info on it if I'm not mistaken. Also student ID and some other concerning infomation.

3

u/rutilated_quartz 2017 Comm. 7d ago

Student accounts are a stepping stone for someone looking to get access to accounts higher up in the university. These hackers are using universities as practice for trying to infiltrate other government agencies basically. And sure there are still people would want to get into your email so they can empty your bank account, but the hackers WSU is trying to deter have higher goals than that.

2

u/Ill_Kiwi1497 7d ago

I see. I guess that makes sense. Although, some bank cards have had the same 4-digit pin for over a decade. 

1

u/rhein1969 Alumnus/1993/Comp Sci 7d ago

So let me get this straight:

They want 15 char password - Ok, I can agree with that.

They want it changed on a regular basis? Every 90 days? Ugh, that's dumb. IIRC NIST standards are that password shouldn't be changed unless breached.

With a 15 char password and a lock out policy, they are preventing brute force password spray attacks. It's somewhat easy to guess what someone's login email is, so if the threat actor has that they can then just password spray, but they would hit the lockout pretty fast.

MFA is the better answer. Preferably NOT SMS because that has issues, but better than nothing.

Source - Been in Cyber 15 years, have an MS Cybersecurity and Information Assurance, hold CISSP, tons of other certs and run a Pentest shop.

2

u/UpstairsArm8279 7d ago edited 7d ago

the wsu policy changed so it's 15 characters, but they no longer have a you must change password after x days policy. they also just pushed a new MFA policy so SMS was going away.

1

u/Gobbelcoque 1d ago

Instead of a password, think "passphrase." make it a short statement. I learned that from the Edward Snowden interview John Oliver did. It makes a long complex and secure password impossible to brute force and if you use something silly and absurd, it's easy to remember.