Educause Security Discussion mailing list archives
Re: Who is using Passphrase over 16 characters
From: Alex Lindstrom <aglind () UDEL EDU>
Date: Fri, 4 Sep 2020 10:27:29 -0400
We have a 12-character minimum with at least three character types being required. We also reject upon creation any passwords that consist of a common phrase or dictionary word or that match one of the user's last several passwords. That being said, we rely on two-factor as the real control, and all students and employees are required to configure it. Even with education, user password practices are not renowned for their security. ----- Alex Lindstrom IT Security Analyst II UDIT Security | Governance, Risk, & Compliance (302) 831-4823 On Fri, Sep 4, 2020 at 10:15 AM Scott Hicks < 000001df2216c6a1-dmarc-request () listserv educause edu> wrote:
FWIW, here is our policy (we require a password that's between 14 and 30 characters) with examples and a little education on why longer passwords are stronger..... https://uncg.service-now.com/kb?id=kb_article_view&sysparm_article=KB0010158 Regards, Scott Hicks Network Architect 336-334-9756 scott.hicks () uncg edu On Thu, Sep 3, 2020 at 5:20 PM Francisco Chavez <fac3 () stmarys-ca edu> wrote:Hi Alan, We have implemented a 16+ passphrase policy here at Saint Mary’s for a few years now. It was a struggle at first but we are better for it. We also have different policies for different levels of access that that include lockout thresholds as well as password refreshes every 365 days. We also require MFA as well on top of the passphrase depending on certain risk criteria (Location, Device, etc.) Sincerely, Francisco Chavez -- Francisco Chavez, MBA | Director, Infrastructure and Operations Saint Mary's College of California ............................................................................................................................... IT Services <https://www.stmarys-ca.edu/it-services> phone: (925) 631-8236 email: fac3 () stmarys-ca edu On Sep 3, 2020, at 2:12 PM, Alan Amesbury <amesbury () OITSEC UMN EDU> wrote: On 03 Sep 20, at 16:05, Cathy Hubbs <hubbs () AMERICAN EDU> wrote: We have been supporting 2 password policies for several years and would like to move to 1 (the 16+ character passphrase). Wondering how many of you have adopted a longer/stronger passphrase policy? For ease of response – anyone using passphrase policy requiring at least 12 characters? [snip] Policy requires a complex password for our high and medium classifications: https://policy.umn.edu/it/securedata-appaaam The policy refers to https://it.umn.edu/resources-it-staff-partners/information-security-standards/authentication-access-account-management for a discussion of what a complex password is, which includes a requirement that it be >=16 characters long. I note they didn't use my own authentication factor definitions: 1) Something you lose. 2) Something you forget. 3) Something you cease to be. -- Alan Amesbury Security Analyst | University Information Security (UIS) University of Minnesota | umn.edu | 612-625-8810 Information Security is a shared responsibility. Learn more at: https://it.umn.edu/what-security-incident ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Who is using Passphrase over 16 characters Cathy Hubbs (Sep 03)
- Re: Who is using Passphrase over 16 characters Blake Brown (Sep 03)
- Re: Who is using Passphrase over 16 characters Gregory, Christopher (Sep 04)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 05)
- Re: Who is using Passphrase over 16 characters Nathan Phillips (Sep 08)
- Re: Who is using Passphrase over 16 characters Gregory, Christopher (Sep 04)
- Re: Who is using Passphrase over 16 characters Blake Brown (Sep 03)
- Re: Who is using Passphrase over 16 characters Alan Amesbury (Sep 03)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 03)
- Re: Who is using Passphrase over 16 characters Scott Hicks (Sep 04)
- Re: Who is using Passphrase over 16 characters Alex Lindstrom (Sep 04)
- Re: Who is using Passphrase over 16 characters Dan Wasson (Sep 04)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 03)