Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 15 character minimum passwords

From: Bill Frazier <frazier () IASTATE EDU>
Date: Fri, 9 Jul 2004 08:02:38 CDT
The comment on ntlm is well taken.  If I recall correctly, if
you are using older versions of ntlm, a well chosen 8
character password is less vulnerable than a 15 character
password, though both can be hacked.  I don't recall whether
V2 fixes that problem, though the hackability is improved.

As far as length, one advantage of long passwords -- even
longer than 15 characters -- is that one can safely dispense
with the requirement for mutiple character classes.  This is
especially nice if the client systems AND whatever server-side
system is present are all completely unpicky about characters
used.  Hence, "How now brown cow?" would be easy to remember,
though perhaps not the best choice if the cracker tried common
phrases.  By contrast, the shorter "4RTu%@g6" is, for most
people, more difficult.

Much of current recommendation in the security community is
that long phrases, perhaps describing events (real or imagined
but not obvious), are better choices.  The idea is that such
long passwords are memorable while good choices at shorter
lengths are not.

Bill


__________________________________________________________________
On Thu, 08 Jul 2004 15:21:39 CDT, Eric Pancer wrote:

Todd Gunter wrote on Thu, 2004-07-08 at 16:02:57 -0400...


Has anyone adopted the use of 15 character minimum passwords?

We are going to start using this password format when we migrate to Windows 2

003.  I was wondering if anyone has started to use this format and
what, if any
, issues you had using them?


We see this as a simpler approach to passwords.  Fifteen character
password with complexity is simply 'Ihaveabigmouth.'.  They are
also supposed to much harder to crack.


When cracking ntlm type passwords, I do believe they're split into
two hashes (7+7 characters). I'm not sure what is true these days,
but it used to be very easy to determine the first hash if you got
the second hash correct, essentially making a 14 characters password
as simple to crack as a 7 character password.

Things might have changed.

As far as that length goes, I think you're asking for lots of
passwords to be written under keyboards, on monitors, etc., but
would be curious to know the results!

--
Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

**********
Participation and subscription information for this EDUCAUSE Discussion
Group d
iscussion list can be found at http://www.educause.edu/cg/.




__________________________________________________________________
Bill Frazier                                 frazier () iastate edu
Assistant Director/Software Support          voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Academic Information Technologies, 291 Durham, Ames, Iowa 50011

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: