Re: Passphrases v Password

[randy <marchany () VT EDU>]

Brad Tilley from my office developed a password generator tool that is
pretty effective and easy to use. It's at http://16s.us/sha1_pass/.
Basically, you supply it a phrase/sentence and it generates a number of
password strings (base64, SHA-1, hex, etc.) that you can cut and paste into
the login page.

-Randy Marchany
VA Tech IT Security Office and Lab.

On Mon, Jul 8, 2013 at 9:50 AM, Tim Doty <tdoty () mst edu> wrote:

> I've been resisting, but I will point out that that xkcd significantly
> overstates the entropy of English which ruins his analysis. Relying on
> simple passphrases as protection against hash cracking doesn't work against
> real threats (http://arstechnica.com/**security/2013/05/how-crackers-**
> make-minced-meat-out-of-your-**passwords/<http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/>
> )
>
> In my opinion the biggest problem we face is that our systems are geared
> to require a password and password only for authentication. Even if you
> stand up a two factor system you are left with
>
> 1) locking out certain functionality (e.g., you can't use a Yubikey with
> an iphone)
>
> 2) increased complexity (which tends to weaker security)
>
> 3) uneven requirements resulting in exposed single factor mechanisms
>
> Whatever solution any given institution comes up with is up to them as a
> means of best meeting their requirements, but the factually incorrect and
> consequently misleading xkcd strip is obviously a sore point with me.
>
> Tim Doty
>
> On 07/05/2013 07:49 PM, Cathy Hubbs wrote:
>
> > Thanks to those that answered both on and off the list. I see we are out
> > in
> > front but not alone. Yes there are others!
> >
> > Every institution has a variety of considerations when making a decision.
> > Happy
> > to discuss off line.  The driving force was one year expiration and
> > customer
> > friendly.  We believe it is easier to teach customers to write natural
> > language
> > sentences than to pick a number, a symbol, an upper case, and a lower case
> > character.
> >
> > My colleague loves to trot this XKCD comic strip
> > http://imgs.xkcd.com/comics/**password_strength.png<http://imgs.xkcd.com/comics/password_strength.png>
> >
> > password_strength.png
> >
> > Thanks again.
> >
> > Cathy
> >
> > On Jul 5, 2013, at 12:22 PM, "Cathy Hubbs" <hubbs () AMERICAN EDU
> > <mailto:hubbs () AMERICAN EDU>> wrote:
> >
> >  Greetings,
> > > American University is moving to require passphrases, 16 character
> > > minimum,
> > > with upper and lower case requirement for standard users (staff,
> > > students, and
> > > faculty).
> > >
> > > I would love to hear from anyone that has gone down this path and
> > > experiences
> > > from their customers.
> > >
> > > Thanks
> > >
> > > Cathy
> > >
> > > Cathy Hubbs, CISSP, CISA, CGEIT
> > > Chief Information Security Officer
> > > Office of Information Technology
> > > American University