Re: 15 character minimum passwords

[Greg Jackson <gjackson () UCHICAGO EDU>]

The problem, I think, is that limits on incorrect password guesses create a
problem of their own: they become the obvious mechanism for simple
denial-of-service attacks aimed at individuals or, in some cases, entire
user sets for the host in question. So my sense is that limits on guesses
-- that is, lockout policies -- are declining in attractiveness.
Crackability, which arguably had been solved by lockout policies, thus
becomes important once again.

That said, it's important to distinguish between rational guessing
strategies -- trying blank passwords, passwords set to "password",
passwords set to the username or the user's name, etc -- and brute-force
dictionary or pattern attacks. Regardless of how one deals with the latter,
it's critical to have policies and mechanisms to prevent users from using
stupid passwords.

At 08:05 AM 7/9/2004, you wrote:
> if you have a limit on incorrect password guesses then going from
> 8 to 15 characters makes no difference to fighting a guessing attack


====  gj / VP&CIO
====  The University of Chicago
====  5801 South Ellis #605, Chicago IL 60637
====  773-702-2828 voice, 773-834-2829 fax
====  http://gjackson.uchicago.edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.