Educause Security Discussion mailing list archives
Re: Who is using Passphrase over 16 characters
From: "Gregory, Christopher" <CGREGORY () HWS EDU>
Date: Fri, 4 Sep 2020 22:11:06 +0000
Hello Cathy, We have stuck with the NIST guidelines (8 character minimum) and focused on a defense-in-depth approach in hopes a compromised password is less likely to cause a full-blown breach. In our experience, passwords are most likely to be compromised through some other vector (phishing...<sigh>) rather than guessed or brute-forced, thus negating the effectiveness of length/complexity. Our mitigation approach consists of account lockout on every system that will support it, and we are pushing all on premise and cloud services to MFA as quickly as our populations can stomach it. We also try - with mixed results - to "encourage" participation in security awareness training. I think the password policy approach an org takes is much like the, "What's better, Coke or Pepsi" argument. Yes, password phrases are certainly preferred as they can be longer and are easier to remember, but I'm of the (perhaps unpopular) opinion that long passwords - unless they are complex and non-dictionary - create more risks than they mitigate. For those of you going 12+ characters, do you enforce password history/uniqueness? Complexity? Have a quiet weekend, Chris Christopher Gregory | CCIE, CISSP Network & Cyber Security Architect Hobart and William Smith Colleges From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake Brown Sent: Thursday, September 3, 2020 5:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Who is using Passphrase over 16 characters We are using a minimal of 12+ here but would also like to move to 16+ passphrase in the next year or so. ~Blake ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Cathy Hubbs <hubbs () AMERICAN EDU<mailto:hubbs () AMERICAN EDU>> Sent: Thursday, September 3, 2020 2:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Who is using Passphrase over 16 characters External Email Hi all, We have been supporting 2 password policies for several years and would like to move to 1 (the 16+ character passphrase). Wondering how many of you have adopted a longer/stronger passphrase policy? For ease of response - anyone using passphrase policy requiring at least 12 characters? Feel free to contact me off list if you prefer. Cathy Cathy Hubbs Chief Information Security Officer American University Washington DC ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Who is using Passphrase over 16 characters Cathy Hubbs (Sep 03)
- Re: Who is using Passphrase over 16 characters Blake Brown (Sep 03)
- Re: Who is using Passphrase over 16 characters Gregory, Christopher (Sep 04)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 05)
- Re: Who is using Passphrase over 16 characters Nathan Phillips (Sep 08)
- Re: Who is using Passphrase over 16 characters Gregory, Christopher (Sep 04)
- Re: Who is using Passphrase over 16 characters Blake Brown (Sep 03)
- Re: Who is using Passphrase over 16 characters Alan Amesbury (Sep 03)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 03)
- Re: Who is using Passphrase over 16 characters Scott Hicks (Sep 04)
- Re: Who is using Passphrase over 16 characters Alex Lindstrom (Sep 04)
- Re: Who is using Passphrase over 16 characters Dan Wasson (Sep 04)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 03)