Establishment of stronger passwords for the creation of internal ALMA/Primo users
As an universities consortium from Galicia, CISUG, we are representing three member universities. Our univesrities have a security problem in the management the keys for internal users in Alma.
Alma's internal authentication system allows the user can create complex passwords, but this should be a requirement, not the user's responsibility as to whether they are secure or not.
Our request is that:
ALMA enforce passwords to be at least 8 characters long, and allow the system administrator to increase that minimum.
ALMA allows to force mixed case, numbers, and special characters to créate paswords.
Alma checks that the password is not composed of user data (e.g. name, surname, email, etc.) that can be easily guessed or obtained.
Alma checks that the password is not the same as any of the last passwords used, nor is it formed by a concatenation of them..
Alma validates the new password against a “blacklist” of passwords that are unacceptable due to being widely used, deductible or compromised (e.g. “aaaaaaaa”, “1234abcd”, etc.).
In addition, Alma shall audit the password validation process and:
Limit the number of unsuccessful access attempts, applying an incremental delay after several failed attempts (e.g. 1 minute delay after 3 failed attempts and +10 minutes for the following ones) to make it more difficult to use bot attacks.
It must be able to block the system in case of reaching a set number (e.g. blocking the user after 10 failed attempts).
And as additional methods to ensure security:
Alma shall allow to automate a forced process of periodic password change (for example yearly, semi-annually, etc).
Alma shall have a mechanism that allows the administrator to request a change of passwords if there is evidence that they have been compromised.
We understand that it is more complex, we believe it would be advisable that Alma allow the user to have a security method of authentication based on two-factor authentication (2FA), as offered today by most information systems (Google, Microsoft, etc.).
With the implementation of these requirements, users would have their personal data more secure (both in terms of access to the system itself, as well as in anticipation of it serving as an entry vector for other tools), and the institutions would thus comply with the precepts of the ENS Spanish "National Security Scheme" in terms of minimum cybersecurity requirements.