Re: Who is using Passphrase over 16 characters

[Alex Lindstrom <aglind () UDEL EDU>]

We have a 12-character minimum with at least three character types being
required. We also reject upon creation any passwords that consist of a
common phrase or dictionary word or that match one of the user's last
several passwords.

That being said, we rely on two-factor as the real control, and all
students and employees are required to configure it. Even with education,
user password practices are not renowned for their security.

-----

Alex Lindstrom

IT Security Analyst II
UDIT Security | Governance, Risk, & Compliance

(302) 831-4823


On Fri, Sep 4, 2020 at 10:15 AM Scott Hicks <
000001df2216c6a1-dmarc-request () listserv educause edu> wrote:

> FWIW, here is our policy (we require a password that's between 14 and 30
> characters) with examples and a little education on why longer passwords
> are stronger.....
> https://uncg.service-now.com/kb?id=kb_article_view&sysparm_article=KB0010158
>
> Regards,
>
> Scott Hicks
> Network Architect
>
> 336-334-9756
> scott.hicks () uncg edu
>
> On Thu, Sep 3, 2020 at 5:20 PM Francisco Chavez <fac3 () stmarys-ca edu>
> wrote:
>
> > Hi Alan,
> >
> > We have implemented a 16+ passphrase policy here at Saint Mary’s for a
> > few years now. It was a struggle at first but we are better for it. We also
> > have different policies for different levels of access that that include
> > lockout thresholds as well as password refreshes every 365 days. We also
> > require MFA as well on top of the passphrase depending on certain risk
> > criteria (Location, Device, etc.)
> >
> >
> >
> > Sincerely,
> > Francisco Chavez
> >
> >
> > --
> > Francisco Chavez, MBA  |  Director, Infrastructure and Operations
> > Saint Mary's College of California
> >
> > ...............................................................................................................................
> > IT Services <https://www.stmarys-ca.edu/it-services>
> > phone: (925) 631-8236
> > email: fac3 () stmarys-ca edu
> >
> >
> >
> > On Sep 3, 2020, at 2:12 PM, Alan Amesbury <amesbury () OITSEC UMN EDU>
> > wrote:
> >
> > On 03 Sep 20, at 16:05, Cathy Hubbs <hubbs () AMERICAN EDU> wrote:
> >
> > We have been supporting 2 password policies for several years and would
> > like to move to 1 (the 16+ character passphrase).  Wondering how many of
> > you have adopted a longer/stronger passphrase policy?
> > For ease of response – anyone using passphrase policy requiring at least
> > 12 characters?
> >
> > [snip]
> >
> > Policy requires a complex password for our high and medium
> > classifications:
> >
> > https://policy.umn.edu/it/securedata-appaaam
> >
> >
> > The policy refers to
> >
> >
> > https://it.umn.edu/resources-it-staff-partners/information-security-standards/authentication-access-account-management
> >
> >
> > for a discussion of what a complex password is, which includes a
> > requirement that it be >=16 characters long.
> >
> > I note they didn't use my own authentication factor definitions:
> >
> > 1) Something you lose.
> > 2) Something you forget.
> > 3) Something you cease to be.
> >
> >
> > --
> > Alan Amesbury
> > Security Analyst | University Information Security (UIS)
> > University of Minnesota | umn.edu | 612-625-8810
> > Information Security is a shared responsibility. Learn more at:
> > https://it.umn.edu/what-security-incident
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> >
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community