Re: Passphrases v Password

[Steven Alexander <alexander.s () MCCD EDU>]

My guess is that they chose 16 because a 16 character minimum would force users to pick at least four words that are 
four letters or longer.

It's no longer necessary to pick 15+ character passwords in order to prevent LANMAN password storage, but 14-16 
characters is still a good minimum length if you want strong passwords on Windows.  It's not very user-friendly, but 
anything less is probably crackable because the hashing algorithm (MD4) used on Windows is so laughably ill-chosen.

-Steven Alexander

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Rich Graves 
[rgraves () CARLETON EDU]
Sent: Friday, July 05, 2013 12:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passphrases v Password

What is the rationale for 16? The (obsolete!) justification for 15 was LANMAN.

Some of the best arguments against user-hostile password policies are http://research.microsoft.com/en-us/people/cormac/

Although I do not agree with all that he says -- he seems to derive joy from playing the contrarian -- the conclusion 
of "Where do security policies come from?" is devastating and, I believe, correct.
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are 
simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must 
compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury 
they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is 
superfluous: it causes considerable inconvenience for negligible security improvement.
We have a captive audience, and we can point at a password policy as evidence that we are "doing something." But the 
economic cost is high, and the security impact may be negative. I've overhead help desk staff refuse to change 
passwords for users affected by malware because it's hard to come up with a new password.

If you want security, the big wins are authentication by means other than passwords ("known device" is a huge win), and 
then application and network whitelisting. The motivation for my current institution's password policy was not security.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin

This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.