Re: 15 character minimum passwords

["Lucas, Bryan" <b.lucas () TCU EDU>]

I wouldn't try to implement a complex password policy without a very good self-service web-based solution.  Their are 
products out there that can allow users to have a challenge-response enrollment, change password and even unlock 
account features and they are very affordable.

I would also encourage deciding on a firm stance when the helpdesk can reset/assist once a self-service is in place.  
One because people sometimes tend to get in the habit of calling the helpdesk for a reset rather than taking the time 
to learn how to help themselves and two because a more firm stance can help reduce social engineering opportunities.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Melissa Guenther
Sent: Friday, July 09, 2004 10:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] 15 character minimum passwords


I have done work for 3 clients that initiated the 15 character password
requirement and all have gone back to an 8 character minimum.  The response
from the User community was far worse than anyone anticipated , and as
mentioned, the Helpdesk was overwhelmed with requests for password resets
and unlocking accounts.
----- Original Message -----
From: "Buz Dale" <buz.dale () USG EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Friday, July 09, 2004 8:13 AM
Subject: Re: [SECURITY] 15 character minimum passwords


> An 8 character minimum with a few qualifications (add a number or non
> alpha character, etc.) seem sfairly reasonable.  With a 15 character
> password, look out helpdesk.  There will probably be a lot more requests
> for password resets and unlocking accounts.
> IMHO,
> Buz
>
>
> Scott Bradner wrote:
> > what problem are you trying to solve with 15 character passwords
> >
> > if you have a limit on incorrect password guesses then going from
> > 8 to 15 characters makes no difference to fighting a guessing attack
> >
> > the only threats I can see where going to 15 characters would make
> > a possible difference is watching over someone's shoulder to catch a
> > password and leaving the password file some place it can be grabbed
> > for a brute force attack
> >
> > am I missing something?
> >
> > the main effect I would predict is pissed off users - and that does not
> > seem like a security advantage
> >
> > Scott
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
> --
> ----
> Buz Dale                                buz.dale () usg edu
> IT Security Specialist              1-888-875-3697
> Office of Information and Instructional Technology
> University System of Georgia
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.