Re: 15 character minimum passwords

[Rich Graves <rcgraves () BRANDEIS EDU>]

On Fri, 9 Jul 2004, Scott Bradner wrote:

> the only threats I can see where going to 15 characters would make
> a possible difference is watching over someone's shoulder to catch a
> password and leaving the password file some place it can be grabbed
> for a brute force attack
>
> am I missing something?

Yes, both NTLM and Kerberos5 are subject to offline attacks on a sniffed
challenge/response. If you still run Kerberos4, it's worse; a completely
offline attack is possible.

Also, 15-character passwords exceed the 14-character LANMAN limit, so those
much weaker hashes won't be stored -- or *offered*, when a client connects
to a server that says it doesn't speak NTLM.

So, those are reasons, but I don't consider them compelling enough to
enforce them at Brandeis for anyone but myself. Brandeis currently requires
either complex 7-8 character passwords (if any client supports LANMAN, you
gain no security by going from 7 to 14) or simple passphrases 15+. Most
users are choosing 15+ character passphrases now because it's easier than
fighting cracklib.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.