Educause Security Discussion mailing list archives
Re: Publishing password rules
From: jeff murphy <jcmurphy () BUFFALO EDU>
Date: Thu, 6 Nov 2008 10:41:51 -0500
Discussion on entropy as it pertains to passwords/passphrases: http://technet.microsoft.com/en-us/library/cc512609.aspx http://technet.microsoft.com/en-us/library/cc512624.aspx On Nov 6, 2008, at 10:27 AM, Basgen, Brian wrote:
A key component of password strength is entropy. Running English text has extremely low entropy which is why, for example, plain text can be compressed so well. Thus, when considering password strength as a function of bit-strength, a long passphrase of simple words is quite weak. Passphrases also have end-user challenges -- namely typing a long string of characters the user can't see without making a typo, etc.~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally Sent: Thursday, November 06, 2008 7:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Publishing password rulesI like the idea of a "password phrase". Complex passwords are hard totype and hard to remember. A simple silly phrase such as "The cow is all red" is easy to remember, type and its 18 chars. It is also very easy to add complexity by simply misspelling a word adding a period etc... I think that when it comes to strong passwords, length is better than complexity. -Wally -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan Sent: Wednesday, October 29, 2008 9:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Publishing password rules A week or so ago I asked for opinions on whether publishing strong password standards constituted a security risk. The background for this is that we have just instituted increased strength requirements (minimum eight characters, at least one upper case and at least onenumeral, no obvious matches--dictionary, accessID etc.) We’ve now had to back off a little because of *&#$%&!! Oracle limitations that forbidnon-alphanumeric characters (well, most of them).As part of this we’ve been debating whether we should publish the rules or let users play twenty questions. I personally favor publishing therequirements behind some authentication wall, such as the passwordchange page. By a large majority (12-3) the folks who responded to myquestion agreed. Several pointed out that eight characters wasprobably too weak to make any difference, and, in general I agree, butbumping that number up would not fly here at the moment, especially given a six-month expiry cycle. Many thanks to the following for the responses: Valdis Kletnieks Roger Safian Steven Alexander Vijaya Sastry Adam Nave Tim Doty Alex Everett Bill Terry Bob Bayn Brian Basgen Jack Suess Conor McGrath Jim Rizzo Gary Dobbins Joel Rosenblatt Geoffrey S. Nathan Faculty Liaison, C&IT and Associate Professor, Linguistics Program +1 (313) 577-1259 (C&IT) +1 (313) 577-8621 (English/Linguistics)
Attachment:
smime.p7s
Description:
Current thread:
- Publishing password rules Geoff Nathan (Oct 29)
- <Possible follow-ups>
- Re: Publishing password rules Strzelec, Wally (Nov 06)
- Re: Publishing password rules Basgen, Brian (Nov 06)
- Re: Publishing password rules jeff murphy (Nov 06)