Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: Rich Graves <rcgraves () BRANDEIS EDU>
Date: Fri, 9 Jul 2004 09:28:03 -0400
On Fri, 9 Jul 2004, Scott Bradner wrote:
the only threats I can see where going to 15 characters would make a possible difference is watching over someone's shoulder to catch a password and leaving the password file some place it can be grabbed for a brute force attack am I missing something?
Yes, both NTLM and Kerberos5 are subject to offline attacks on a sniffed challenge/response. If you still run Kerberos4, it's worse; a completely offline attack is possible. Also, 15-character passwords exceed the 14-character LANMAN limit, so those much weaker hashes won't be stored -- or *offered*, when a client connects to a server that says it doesn't speak NTLM. So, those are reasons, but I don't consider them compelling enough to enforce them at Brandeis for anyone but myself. Brandeis currently requires either complex 7-8 character passwords (if any client supports LANMAN, you gain no security by going from 7 to 14) or simple passphrases 15+. Most users are choosing 15+ character passphrases now because it's easier than fighting cracklib. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- 15 character minimum passwords Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: 15 character minimum passwords Eric Pancer (Jul 08)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 08)
- Re: 15 character minimum passwords David Wall @ Yozons, Inc. (Jul 08)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Greg Jackson (Jul 09)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
- Re: 15 character minimum passwords Jim Loter (Jul 09)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
(Thread continues...)