Educause Security Discussion mailing list archives
Re: Passphrases v Password
From: Will Froning <will.froning () GMAIL COM>
Date: Fri, 5 Jul 2013 23:54:35 +0400
Hello Rich, tiqr.org and https://www.toopher.com/ both come to mind as interesting ways to solve password problems. We have a more restrictive password policy for Faculty that includes a requirement to use Yubikey. It has eliminated students trying to stealing faculty passwords as an avenue to abusing the system. Now the profs are struggling with camera phones instead. Thanks, Will On July 5, 2013 at 11:24:20 PM, Rich Graves (rgraves () carleton edu) wrote: What is the rationale for 16? The (obsolete!) justification for 15 was LANMAN. Some of the best arguments against user-hostile password policies are http://research.microsoft.com/en-us/people/cormac/ Although I do not agree with all that he says -- he seems to derive joy from playing the contrarian -- the conclusion of "Where do security policies come from?" is devastating and, I believe, correct. We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement. We have a captive audience, and we can point at a password policy as evidence that we are "doing something." But the economic cost is high, and the security impact may be negative. I've overhead help desk staff refuse to change passwords for users affected by malware because it's hard to come up with a new password. If you want security, the big wins are authentication by means other than passwords ("known device" is a huge win), and then application and network whitelisting. The motivation for my current institution's password policy was not security. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin -- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning
Current thread:
- Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Joel L. Rosenblatt (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
- Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
- Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Mike Osterman (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password scott hollatz (Jul 05)
- Re: Passphrases v Password Ray McClure (Jul 06)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password randy (Jul 08)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password shanna leonard (Jul 09)
- Re: Passphrases v Password scott hollatz (Jul 05)