Educause Security Discussion mailing list archives

Re: Stats re: passwords

From: Matthew Wollenweber <mjw () CYBERWART COM>
Date: Fri, 16 Oct 2009 12:57:40 -0400

Generally speaking, most brute force programs, dictionaries, and
cracking software are well suited to the rules Randy cited: "a) 8-16
characters b) upper/lower case c)at least 1 numeric d) at least 1
special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are
very common examples of how most people tend to cluster "complex"
rules into easily guessable permutations. I tend use truly random
passwords from a generator or those similar in style to what Don
mentioned.

-Matt


On Fri, Oct 16, 2009 at 12:48 PM, Chris Kidd <chris.kidd () utah edu> wrote:

It depends upon the purpose of the password rules. Are the rules to prevent others from guessing a password? If 
that's the case, either approach seems reasonable. However, password requirements should be part of an overall 
strategy that includes monitoring, lockouts, etc.

Chris

Chris Kidd
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu

http://www.secureit.utah.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Don M. 
Blumenthal
Sent: Friday, October 16, 2009 10:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stats re: passwords

One person that I know in the security community doesn't believe in password
rules like these because they are a pain to type and could be forgotten, if
nothing else wrt whether a letter is capitalized or not. Where the system
allows long pws, he advocates long, easy to remember sentences, such as
IhatestrongpasswordrulesmorethanIhateBrusselssprouts."

Don

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
Sent: Friday, October 16, 2009 12:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stats re: passwords

After reading Alison's note to the list about password rules, I'm sure
that for most of us, the following password would be valid under
standard password rules of a) 8-16 characters b) upper/lower case c)
at least 1 numeric d) at least 1 special character.

AaBbCcDd1234)(*&

<sigh>

Randy Marchany
VA Tech IT Security Office

Current thread:

Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)

(Thread continues...)