Security Basics mailing list archives
Re: Suggested "safe" password length
From: Hollis Johnson <hollis () cisco com>
Date: Sat, 15 Nov 2003 08:22:25 -0800
Ashish. I don't have a pw-length recommendation. However, I've heard that windows only uses the first 8 characters -- of course, someone may correct me.
Everything I've read concurs with Simon on coming up with strong passwords. I've read in several places (,maybe many) about coming up with passwords from a phrase and doing some substitution -- From my experience travelling last week, for instance --
O'hare airport is a horrible place to spend the night. 0'a1aHP2stnA "translation" of the first letter of each word -- includes upper and lower; numbers, even a non-alpha-number character. And trust me, I'll remember that phrase for a long time :-)
The lastest stats I read were under 4 seconds if the word was in the dictionary, even with minor substitutions. Whereas something like this was not cracked in a a few days.
Good luck !! At 11:30 AM 11/14/2003 +0000, Simon Gray wrote:
Hi, > I wanted to have an idea about what should be the suggested range of > password lengths and if there is any upper bound. > I was told that there is a range upto which your password is encrypted > and beyond which the characters are futile. I work on a linux environment > with md5 encryption of passwords enabled. I would of thought at least 8-10 characters (this does depend on what the password is authenticating you to? (Nuclear reactor? or your gym locker?)) You may want to enforce say at least 1 numeric, and 1 uppercase and maybe 1 lower case in that. Should also try to get your users to avoid using dictionary words, even such as hell0, or fr3d etc.. Something like 'IQyJ$4)xv&' or 'z46he+^6**' would be a pretty strong password since it has no real relevance to anything, however remembering that could be interesting. That's the price you've got to pay for password security. Hope this helps. Regards, Simon Gray Desktop Guardian Ltd Developers of Identrica mobile phone based authentication www.identrica.com --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- RE: Suggested "safe" password length, (continued)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
- RE: Suggested "safe" password length Enquiries (Nov 16)
- Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- Re: Suggested "safe" password length Steve (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 17)