Re: 15 character minimum passwords

[Bill Frazier <frazier () IASTATE EDU>]

I don't want to get into a long discussion on length vs
complexity.  However, given the constraint mentioned that the
character set be unlimited, length, to some extent, equates to
complexity.  Much of the history of password choice
recommendations is predicated on the fact that we were talking
about passWORDs.  Single words or word shaped things.  Most
cracking tools commonly available rely on vulnerabilities in
the storage or transmittal system or on poor choices such as
dictionary words.  The shift to phrases or sentences
introduces complexity, though it does not remove the need for
good choices.  It certainly lengthens exhaustive search
approaches.  It also does not necessarily protect against
sophisticated cracks.  Most hackers don't work for NSA.

I would agree that it is possible to choose complex passwords
which are both good passwords and easily remembered.  I
believe, however, that "easily remembered" is a very
subjective concept.  Sorry, no references, just lots of info
gleaned from years of meetings and reading.

Bill

__________________________________________________________________
On Fri, 09 Jul 2004 10:01:17 CDT, "Lucas, Bryan" wrote:

I'm not sure I agree with the statement=20
"Much of current recommendation in the security community is
that long phrases, perhaps describing events (real or imagined but not =
obvious), are better choices."

Who's recommending that?  Increased length doesn't necessarily mean =
increased cracking time.  Increased complexity does. =20

Also, the common misconception is that complex passwords can't be
easily =
remembered.  I refer you to the Cambridge study on complex passwords I =
sent eariler.


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Bill Frazier
Sent: Friday, July 09, 2004 8:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] 15 character minimum passwords


The comment on ntlm is well taken.  If I recall correctly, if
you are using older versions of ntlm, a well chosen 8
character password is less vulnerable than a 15 character
password, though both can be hacked.  I don't recall whether
V2 fixes that problem, though the hackability is improved.

As far as length, one advantage of long passwords -- even
longer than 15 characters -- is that one can safely dispense
with the requirement for mutiple character classes.  This is
especially nice if the client systems AND whatever server-side
system is present are all completely unpicky about characters
used.  Hence, "How now brown cow?" would be easy to remember,
though perhaps not the best choice if the cracker tried common
phrases.  By contrast, the shorter "4RTu%@g6" is, for most
people, more difficult.

Much of current recommendation in the security community is
that long phrases, perhaps describing events (real or imagined
but not obvious), are better choices.  The idea is that such
long passwords are memorable while good choices at shorter
lengths are not.

Bill


__________________________________________________________________
On Thu, 08 Jul 2004 15:21:39 CDT, Eric Pancer wrote:

Todd Gunter wrote on Thu, 2004-07-08 at 16:02:57 -0400...

> Has anyone adopted the use of 15 character minimum passwords?
>
> We are going to start using this password format when we migrate to =
Windows 2
003.  I was wondering if anyone has started to use this format and
what, if any
, issues you had using them?
> We see this as a simpler approach to passwords.  Fifteen character
> password with complexity is simply 'Ihaveabigmouth.'.  They are
> also supposed to much harder to crack.

When cracking ntlm type passwords, I do believe they're split into
two hashes (7+7 characters). I'm not sure what is true these days,
but it used to be very easy to determine the first hash if you got
the second hash correct, essentially making a 14 characters password
as simple to crack as a 7 character password.

Things might have changed.

As far as that length goes, I think you're asking for lots of
passwords to be written under keyboards, on monitors, etc., but
would be curious to know the results!

--
Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

**********
Participation and subscription information for this EDUCAUSE Discussion
Group d
iscussion list can be found at http://www.educause.edu/cg/.




__________________________________________________________________
Bill Frazier                                 frazier () iastate edu
Assistant Director/Software Support          voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Academic Information Technologies, 291 Durham, Ames, Iowa 50011

**********
Participation and subscription information for this EDUCAUSE Discussion
=
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group d
iscussion list can be found at http://www.educause.edu/cg/.




__________________________________________________________________
Bill Frazier                                 frazier () iastate edu
Assistant Director/Software Support          voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Academic Information Technologies, 291 Durham, Ames, Iowa 50011

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.