Re: 15 character minimum passwords

[Eric Pancer <epancer () SECURITY DEPAUL EDU>]

Todd Gunter wrote on Thu, 2004-07-08 at 16:02:57 -0400...

> Has anyone adopted the use of 15 character minimum passwords?
>
> We are going to start using this password format when we migrate to Windows 2003.  I was wondering if anyone has 
> started to use this format and what, if any, issues you had using them?
>
> We see this as a simpler approach to passwords.  Fifteen character
> password with complexity is simply 'Ihaveabigmouth.'.  They are
> also supposed to much harder to crack.

When cracking ntlm type passwords, I do believe they're split into
two hashes (7+7 characters). I'm not sure what is true these days,
but it used to be very easy to determine the first hash if you got
the second hash correct, essentially making a 14 characters password
as simple to crack as a 7 character password.

Things might have changed.

As far as that length goes, I think you're asking for lots of
passwords to be written under keyboards, on monitors, etc., but
would be curious to know the results!

--
Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.