Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: Bill Frazier <frazier () IASTATE EDU>
Date: Fri, 9 Jul 2004 08:02:38 CDT
The comment on ntlm is well taken. If I recall correctly, if you are using older versions of ntlm, a well chosen 8 character password is less vulnerable than a 15 character password, though both can be hacked. I don't recall whether V2 fixes that problem, though the hackability is improved. As far as length, one advantage of long passwords -- even longer than 15 characters -- is that one can safely dispense with the requirement for mutiple character classes. This is especially nice if the client systems AND whatever server-side system is present are all completely unpicky about characters used. Hence, "How now brown cow?" would be easy to remember, though perhaps not the best choice if the cracker tried common phrases. By contrast, the shorter "4RTu%@g6" is, for most people, more difficult. Much of current recommendation in the security community is that long phrases, perhaps describing events (real or imagined but not obvious), are better choices. The idea is that such long passwords are memorable while good choices at shorter lengths are not. Bill __________________________________________________________________ On Thu, 08 Jul 2004 15:21:39 CDT, Eric Pancer wrote: Todd Gunter wrote on Thu, 2004-07-08 at 16:02:57 -0400...
Has anyone adopted the use of 15 character minimum passwords? We are going to start using this password format when we migrate to Windows 2
003. I was wondering if anyone has started to use this format and what, if any , issues you had using them?
We see this as a simpler approach to passwords. Fifteen character password with complexity is simply 'Ihaveabigmouth.'. They are also supposed to much harder to crack.
When cracking ntlm type passwords, I do believe they're split into two hashes (7+7 characters). I'm not sure what is true these days, but it used to be very easy to determine the first hash if you got the second hash correct, essentially making a 14 characters password as simple to crack as a 7 character password. Things might have changed. As far as that length goes, I think you're asking for lots of passwords to be written under keyboards, on monitors, etc., but would be curious to know the results! -- Eric Pancer :.: Computer Security Response Team :.: DePaul University http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3 ********** Participation and subscription information for this EDUCAUSE Discussion Group d iscussion list can be found at http://www.educause.edu/cg/. __________________________________________________________________ Bill Frazier frazier () iastate edu Assistant Director/Software Support voice: (515) 294-8620 Iowa State University fax: (515) 294-1717 Academic Information Technologies, 291 Durham, Ames, Iowa 50011 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- 15 character minimum passwords Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: 15 character minimum passwords Eric Pancer (Jul 08)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 08)
- Re: 15 character minimum passwords David Wall @ Yozons, Inc. (Jul 08)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
(Thread continues...)