Educause Security Discussion mailing list archives

Re: Passphrases v Password

From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Fri, 5 Jul 2013 14:53:42 -0700

On 07/05/13 11:57, randy wrote:

How do you enforce "passphrases"? :-)

Our current password rules are at
http://www.awareness.security.vt.edu/passwords/strong_passwords.html.
It will be interesting to see the user reaction to the 16 character
minimum requirement.


xkcd has in interesting discussion of password/passphrase strength:

https://xkcd.com/936/

(Moral of the story: We've successfully trained users to create
passwords that are hard for them to remember but easy for computers to
guess.)

The only catch with using long passphrases is that it's better that they
NOT be grammatically correct:

http://www.cs.cmu.edu/~agrao/paper/Effect_of_Grammar_on_Security_of_Long_Passwords.pdf

michael

Current thread:

Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
  - Re: Passphrases v Password Joel L. Rosenblatt (Jul 05)
  - Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
  - Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
  - Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Will Froning (Jul 05)
    - Re: Passphrases v Password Rich Graves (Jul 05)
    - Re: Passphrases v Password Mike Osterman (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
  - Re: Passphrases v Password scott hollatz (Jul 05)
    - Re: Passphrases v Password Ray McClure (Jul 06)

(Thread continues...)