Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: Matthew Wollenweber <mjw () CYBERWART COM>
Date: Fri, 16 Oct 2009 12:57:40 -0400
Generally speaking, most brute force programs, dictionaries, and cracking software are well suited to the rules Randy cited: "a) 8-16 characters b) upper/lower case c)at least 1 numeric d) at least 1 special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are very common examples of how most people tend to cluster "complex" rules into easily guessable permutations. I tend use truly random passwords from a generator or those similar in style to what Don mentioned. -Matt On Fri, Oct 16, 2009 at 12:48 PM, Chris Kidd <chris.kidd () utah edu> wrote:
It depends upon the purpose of the password rules. Are the rules to prevent others from guessing a password? If that's the case, either approach seems reasonable. However, password requirements should be part of an overall strategy that includes monitoring, lockouts, etc. Chris Chris Kidd 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu http://www.secureit.utah.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Don M. Blumenthal Sent: Friday, October 16, 2009 10:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stats re: passwords One person that I know in the security community doesn't believe in password rules like these because they are a pain to type and could be forgotten, if nothing else wrt whether a letter is capitalized or not. Where the system allows long pws, he advocates long, easy to remember sentences, such as IhatestrongpasswordrulesmorethanIhateBrusselssprouts." Don -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Friday, October 16, 2009 12:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stats re: passwords After reading Alison's note to the list about password rules, I'm sure that for most of us, the following password would be valid under standard password rules of a) 8-16 characters b) upper/lower case c) at least 1 numeric d) at least 1 special character. AaBbCcDd1234)(*& <sigh> Randy Marchany VA Tech IT Security Office
Current thread:
- Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
(Thread continues...)