Central Authentication System (CAS), the security system which protects the myUSF passwords, saves the last six passwords that were used for login so that they cannot be reused. Under the CAS system, myUSF users are required to change their password every six months, which means that there are thousands of user passwords that are kept in the system. This raised concerns among the USF community regarding where these passwords were kept and how they were protected.
Nick Recchia, information security officer (ISO) and director of information, security and compliance at USF’s Information Technology Services (ITS), is responsible for password management for myUSF. Recchia assures us that each password is safe and encrypted under the current system.
The current system uses industry standard Access Identity Management (AIM) which uses “hashing,” a method of encrypting passwords to ensure that the password is protected. Then, “salt,” another method of encryption, is put on the password.
“‘Salt’ is put on the password ‘hash’ to encrypt it in a way that’s not reversible and therefore you can’t use the same password,” said Recchia. In short, ‘hash’ shields the password and ‘salt’ ensures that the last six passwords may not be used as the current password. This is a way for AIM to add another layer of protection to keep the passwords hidden.
Vice President of Information Technology and Chief Information Officer Opinder Bawa disclosed that ITS was in the process of changing authentication systems. ITS originally developed a home-grown system and has made the decision to switch to a commercial product. “These products are used in commercial organizations such as banking and telecommunications, so they’re very secure systems and they give you so much more functionality than the home-grown system,” said Bawa.
While ITS is still in the process of selecting a commercial product, Bawa was impressed with some of the functions that were made possible through theses kinds of systems. “There’s more self-service than the home-grown version,” said Bawa. For example, if a user forgets their password, commercial systems are capable of sending a text message or asking security questions. The current system is only capable of sending an email.
While current and previous myUSF passwords are saved in the current password security system, they are saved in order to ensure that the user doesn’t jeopardize their security by reusing an old password. ITS seeks to employ a more user-friendly system that will continue to ensure the protection of our passwords.