Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: Jim Loter <jloter () ENGR WASHINGTON EDU>
Date: Fri, 9 Jul 2004 08:52:45 -0700
The reason Windows 15+ character passwords/phrases are harder to crack is that Windows doesn't generate LM hashes (the 7/7 split) for passwords of >= 15 characters, so traditional Windows password cracking techniques won't work against 15+ character passwords. That's not to say that other methods won't work. It just means the common LM vulnerability is resolved. There's some recent research that debunks the notion that longer passwords are inherently harder for users to remember. It claims that mnemonic passwords are about equivilent in security to random passwords and are just about as easy for users to remember than "naively selected" passwords (i.e. dictionary words or variations on names). The trouble, of course, is getting them to follow the guidelines and not complain about them. Another thing the research demonstrated was that ALL 6-character passwords, regardless of complexity, are easily suseptible to brute force attacks. Full report here: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf ==================================== *Jim Loter* *Director of Computing Services* University of Washington College of Engineering 70e Wilcox Hall - Box 352180 Seattle, WA 98195 Phone: 206-543-1791 ~ Fax: 206-543-1018 ==================================== ----- Original Message ----- From: Todd Gunter Sent: 7/8/2004 1:02 PM
Has anyone adopted the use of 15 character minimum passwords? We are going to start using this password format when we migrate to Windows 2003. I was wondering if anyone has started to use this format and what, if any, issues you had using them? We see this as a simpler approach to passwords. Fifteen character password with complexity is simply 'Ihaveabigmouth.'. They are also supposed to much harder to crack. Please let me know your experiences with this move and any bumps in the road to look out for. Thanks, Todd :)> ----------------------------- Todd Gunter Director, Management Information Systems Information Technologies Project Manager 45 Ferry St Troy, NY 12180 guntet () sage edu (work email) 518-857-6754 (cell) 518-244-2088 (office) 518-244-2460 (fax) ~~~ "If you focus on quality today, it will, in the long term, pay benefits" ~~~ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- 15 character minimum passwords, (continued)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
- Re: 15 character minimum passwords Jim Loter (Jul 09)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Wayne Wilson (Jul 09)
- Re: 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)