Security Basics mailing list archives

Re: Suggested "safe" password length

From: "Robert & Marina Mantle" <rwmantle () rogers com>
Date: Fri, 14 Nov 2003 22:36:00 -0500

    True, although best practices suggest a password of at least 8
characters, too long a password and users will have a tendency of writing
them down rather than attempt to commit them to memory.

    Robert Mantle
    DND
    Network Vulnerability Analysis

----- Original Message ----- 
From: "Simon Gray" <simong () desktop-guardian com>
To: "Ashish Sharma" <ashishs () iitg ernet in>
Cc: <security-basics () securityfocus com>
Sent: Friday, November 14, 2003 6:30 AM
Subject: Re: Suggested "safe" password length

Hi,

I wanted to have an idea about what should be the suggested range of
password lengths and if there is any upper bound.
I was told that there is a range upto which your password is encrypted
and beyond which the characters are futile. I work on a linux

environment

with md5 encryption of passwords enabled.



I would of thought at least 8-10 characters (this does depend on what the
password is authenticating you to? (Nuclear reactor? or your gym locker?))
You may want to enforce say at least 1 numeric, and 1 uppercase and maybe

lower case in that. Should also try to get your users to avoid using
dictionary words, even such as hell0, or fr3d etc.. Something like
'IQyJ$4)xv&' or 'z46he+^6**' would be a pretty strong password since it

has

no real relevance to anything, however remembering that could be
interesting. That's the price you've got to pay for password security.

Hope this helps.

Regards,

Simon Gray
Desktop Guardian Ltd

Developers of Identrica
mobile phone based authentication
www.identrica.com


--------------------------------------------------------------------------

Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security

to

simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
--------------------------------------------------------------------------

--




---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

Current thread:

Suggested "safe" password length Ashish Sharma (Nov 13)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
  - RE: Suggested "safe" password length Enquiries (Nov 16)
  - Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
    - Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
    - Re: Suggested "safe" password length Peter Schawacker (Nov 18)
    - Re[2]: Suggested "safe" password length Vishal (Nov 20)
    - Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
    - Re[2]: Suggested "safe" password length Vishal (Nov 21)
  - Re: Suggested "safe" password length Hollis Johnson (Nov 17)
- Re: Suggested "safe" password length Alessandro (Nov 16)
- Re: Suggested "safe" password length Tomas Wolf (Nov 17)
  - Re: Suggested "safe" password length Steve (Nov 17)
- <Possible follow-ups>
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)

(Thread continues...)