Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: Bill Frazier <frazier () IASTATE EDU>
Date: Fri, 9 Jul 2004 10:54:25 CDT
I don't want to get into a long discussion on length vs complexity. However, given the constraint mentioned that the character set be unlimited, length, to some extent, equates to complexity. Much of the history of password choice recommendations is predicated on the fact that we were talking about passWORDs. Single words or word shaped things. Most cracking tools commonly available rely on vulnerabilities in the storage or transmittal system or on poor choices such as dictionary words. The shift to phrases or sentences introduces complexity, though it does not remove the need for good choices. It certainly lengthens exhaustive search approaches. It also does not necessarily protect against sophisticated cracks. Most hackers don't work for NSA. I would agree that it is possible to choose complex passwords which are both good passwords and easily remembered. I believe, however, that "easily remembered" is a very subjective concept. Sorry, no references, just lots of info gleaned from years of meetings and reading. Bill __________________________________________________________________ On Fri, 09 Jul 2004 10:01:17 CDT, "Lucas, Bryan" wrote: I'm not sure I agree with the statement=20 "Much of current recommendation in the security community is that long phrases, perhaps describing events (real or imagined but not = obvious), are better choices." Who's recommending that? Increased length doesn't necessarily mean = increased cracking time. Increased complexity does. =20 Also, the common misconception is that complex passwords can't be easily = remembered. I refer you to the Cambridge study on complex passwords I = sent eariler. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Bill Frazier Sent: Friday, July 09, 2004 8:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] 15 character minimum passwords The comment on ntlm is well taken. If I recall correctly, if you are using older versions of ntlm, a well chosen 8 character password is less vulnerable than a 15 character password, though both can be hacked. I don't recall whether V2 fixes that problem, though the hackability is improved. As far as length, one advantage of long passwords -- even longer than 15 characters -- is that one can safely dispense with the requirement for mutiple character classes. This is especially nice if the client systems AND whatever server-side system is present are all completely unpicky about characters used. Hence, "How now brown cow?" would be easy to remember, though perhaps not the best choice if the cracker tried common phrases. By contrast, the shorter "4RTu%@g6" is, for most people, more difficult. Much of current recommendation in the security community is that long phrases, perhaps describing events (real or imagined but not obvious), are better choices. The idea is that such long passwords are memorable while good choices at shorter lengths are not. Bill __________________________________________________________________ On Thu, 08 Jul 2004 15:21:39 CDT, Eric Pancer wrote: Todd Gunter wrote on Thu, 2004-07-08 at 16:02:57 -0400...
Has anyone adopted the use of 15 character minimum passwords? We are going to start using this password format when we migrate to =
Windows 2 003. I was wondering if anyone has started to use this format and what, if any , issues you had using them?
We see this as a simpler approach to passwords. Fifteen character password with complexity is simply 'Ihaveabigmouth.'. They are also supposed to much harder to crack.
When cracking ntlm type passwords, I do believe they're split into two hashes (7+7 characters). I'm not sure what is true these days, but it used to be very easy to determine the first hash if you got the second hash correct, essentially making a 14 characters password as simple to crack as a 7 character password. Things might have changed. As far as that length goes, I think you're asking for lots of passwords to be written under keyboards, on monitors, etc., but would be curious to know the results! -- Eric Pancer :.: Computer Security Response Team :.: DePaul University http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3 ********** Participation and subscription information for this EDUCAUSE Discussion Group d iscussion list can be found at http://www.educause.edu/cg/. __________________________________________________________________ Bill Frazier frazier () iastate edu Assistant Director/Software Support voice: (515) 294-8620 Iowa State University fax: (515) 294-1717 Academic Information Technologies, 291 Durham, Ames, Iowa 50011 ********** Participation and subscription information for this EDUCAUSE Discussion = Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group d iscussion list can be found at http://www.educause.edu/cg/. __________________________________________________________________ Bill Frazier frazier () iastate edu Assistant Director/Software Support voice: (515) 294-8620 Iowa State University fax: (515) 294-1717 Academic Information Technologies, 291 Durham, Ames, Iowa 50011 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: 15 character minimum passwords, (continued)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
- Re: 15 character minimum passwords Jim Loter (Jul 09)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Wayne Wilson (Jul 09)
- Re: 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)