Security Basics mailing list archives
RE: Suggested "safe" password length
From: "Smith, KC" <ksmith () systemsalliance com>
Date: Fri, 14 Nov 2003 16:19:15 -0500
I believe that you must keep the human factor in mind when deciding things like this. While the 'IQyJ$4)xv&' password described below may be quite secure from a pure-technology standpoint, how secure is the system when the only way your users can remember their password is to write it down and tape to their monitor? I know of few users who would even attempt to remember that password and I don't think we should expect them to. My opinion is that passwords should be no fewer than 6 and no more than 10 characters. A mix of numbers, case and special characters should be mandatory. Required change of a users password should be made quarterly. The human factor can not be ignored! KC Smith -----Original Message----- From: Simon Gray [mailto:simong () desktop-guardian com] Sent: Friday, November 14, 2003 6:30 AM To: Ashish Sharma Cc: security-basics () securityfocus com Subject: Re: Suggested "safe" password length Hi,
I wanted to have an idea about what should be the suggested range of password lengths and if there is any upper bound. I was told that there is a range upto which your password is encrypted and beyond which the characters are futile. I work on a linux environment with md5 encryption of passwords enabled.
I would of thought at least 8-10 characters (this does depend on what the password is authenticating you to? (Nuclear reactor? or your gym locker?)) You may want to enforce say at least 1 numeric, and 1 uppercase and maybe 1 lower case in that. Should also try to get your users to avoid using dictionary words, even such as hell0, or fr3d etc.. Something like 'IQyJ$4)xv&' or 'z46he+^6**' would be a pretty strong password since it has no real relevance to anything, however remembering that could be interesting. That's the price you've got to pay for password security. Hope this helps. Regards, Simon Gray Desktop Guardian Ltd Developers of Identrica mobile phone based authentication www.identrica.com --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re[2]: Suggested "safe" password length, (continued)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- Re: Suggested "safe" password length Hollis Johnson (Nov 17)
- Re: Suggested "safe" password length Alessandro (Nov 16)
- Re: Suggested "safe" password length Tomas Wolf (Nov 17)
- Re: Suggested "safe" password length Steve (Nov 17)
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)
- Re: Suggested "safe" password length Simon Gray (Nov 17)
- RE: Suggested "safe" password length Chris Berry (Nov 17)
- Re: Suggested "safe" password length Rodrigo Otaviano (Nov 17)
- RE: Suggested "safe" password length Inlow, Richard N (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- Re[2]: Suggested "safe" password length Vishal (Nov 17)
- RE: Suggested "safe" password length Kenneth Buchanan (Nov 18)
- Re: Suggested "safe" password length No God (Nov 20)
- RE: Suggested "safe" password length Chris Berry (Nov 20)
(Thread continues...)