Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Bob Bayn <Bob.Bayn () USU EDU>
Date: Mon, 19 Nov 2007 12:03:58 -0700
Even if "strong" passwords are not all that hard to crack, we still need to protect our users from themselves in some way. On one system here, that originally required a 6 digit PIN and was eventually broadened to a 6 character passcode (which we still refer to as a PIN), a review of the frequency distribution of user-selected passcodes reveals that "123456" is by far their favorite choice. A distant second is "654321" (I'm sure they think they are tricky) followed by an assortment of 6 of the same digit or 3 of two digit pairs along with names of sports and then first names. The first entries I see that don't have an obvious explanation are "monkey" and "cheese" and all the way down the sorted list to passcodes used by as few as three people, I only found 4 entries that weren't words, names, numeric sequences, keyboard patterns, or 5 letter names followed by a digit. Left to their own option, most everyone will pick a password that says "guess me quick". The fact that it is possible for me to easily run this analysis on that system is another security concern (what hash algorithm?). Our new authentication system being prepared for deployment will address all these issues, and will have password expiration as well as a bad guess limit. Bob Bayn IT Security Team coordinator Utah State University
Current thread:
- Passwords & Passphrases Brian T Nichols (Nov 19)
- <Possible follow-ups>
- Re: Passwords & Passphrases Torres, Juan (Nov 19)
- Re: Passwords & Passphrases J. Alex Campoe (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases HALL, NATHANIEL D. (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Steve Worona (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
(Thread continues...)