Educause Security Discussion mailing list archives
Re: Passphrases v Password
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Sat, 6 Jul 2013 00:13:57 +0000
My guess is that they chose 16 because a 16 character minimum would force users to pick at least four words that are four letters or longer. It's no longer necessary to pick 15+ character passwords in order to prevent LANMAN password storage, but 14-16 characters is still a good minimum length if you want strong passwords on Windows. It's not very user-friendly, but anything less is probably crackable because the hashing algorithm (MD4) used on Windows is so laughably ill-chosen. -Steven Alexander ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Rich Graves [rgraves () CARLETON EDU] Sent: Friday, July 05, 2013 12:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passphrases v Password What is the rationale for 16? The (obsolete!) justification for 15 was LANMAN. Some of the best arguments against user-hostile password policies are http://research.microsoft.com/en-us/people/cormac/ Although I do not agree with all that he says -- he seems to derive joy from playing the contrarian -- the conclusion of "Where do security policies come from?" is devastating and, I believe, correct. We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement. We have a captive audience, and we can point at a password policy as evidence that we are "doing something." But the economic cost is high, and the security impact may be negative. I've overhead help desk staff refuse to change passwords for users affected by malware because it's hard to come up with a new password. If you want security, the big wins are authentication by means other than passwords ("known device" is a huge win), and then application and network whitelisting. The motivation for my current institution's password policy was not security. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- Re: Passphrases v Password, (continued)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
- Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
- Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Mike Osterman (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password scott hollatz (Jul 05)
- Re: Passphrases v Password Ray McClure (Jul 06)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password randy (Jul 08)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password shanna leonard (Jul 09)
- Re: Passphrases v Password Steven Alexander (Jul 09)
- Re: Passphrases v Password scott hollatz (Jul 05)