Re: Follow up to password vs pass-phrase discussion

[Bill Badertscher <wdc8 () GEORGETOWN EDU>]

The attached Excel spreadsheet from Eric Cole (Sans.org) offers
excellent information on the use of pass phrases vs. passwords.

The Notes and Passphrase Politics worksheets include helpful
implementation information.


--

William D. Badertscher
Senior Engineer Facility and Safety Control Systems
        Georgetown University, Information Services
        3300 Whitehaven Street, N.W., Suite 2000
        Washington, DC 20007
        
Email:  wdc8 () georgetown edu
Mobile: 202-731-2758




Roger Safian wrote:
> At 02:22 PM 4/27/2010, Kamnab Keo/FS/VCU put fingers to keyboard and wrote:
>
> > Does anyone advocate the use of pass-phrases vs passwords and allowing users the ability to use pass-phrases if they 
> > want to?  For example, do you allow your users to use pass-phrases that consist of 15 characters or more with no 
> > complexity requirements but passwords with 7 to 14 characters must have some type of complexity (uppercase, number, 
> > special character)?
>
> What's the difference?  It seems to me that what you are saying is if your
> password/phrase is longer than X (14 in this case) you are willing to
> not subject them to the same rules for password/phrases that are not.
> The password or passphrase just seems like semantics and muddies the water.
>
> What am I missing?

Attachment: Passphrase_Length_and_Complexity_Considerations.xlsx
Description:

Attachment: wdc8.vcf
Description: