Educause Security Discussion mailing list archives
Re: 15 character minimum passwords
From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Fri, 9 Jul 2004 10:59:28 -0500
I wouldn't try to implement a complex password policy without a very good self-service web-based solution. Their are products out there that can allow users to have a challenge-response enrollment, change password and even unlock account features and they are very affordable. I would also encourage deciding on a firm stance when the helpdesk can reset/assist once a self-service is in place. One because people sometimes tend to get in the habit of calling the helpdesk for a reset rather than taking the time to learn how to help themselves and two because a more firm stance can help reduce social engineering opportunities. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Melissa Guenther Sent: Friday, July 09, 2004 10:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] 15 character minimum passwords I have done work for 3 clients that initiated the 15 character password requirement and all have gone back to an 8 character minimum. The response from the User community was far worse than anyone anticipated , and as mentioned, the Helpdesk was overwhelmed with requests for password resets and unlocking accounts. ----- Original Message ----- From: "Buz Dale" <buz.dale () USG EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Friday, July 09, 2004 8:13 AM Subject: Re: [SECURITY] 15 character minimum passwords
An 8 character minimum with a few qualifications (add a number or non alpha character, etc.) seem sfairly reasonable. With a 15 character password, look out helpdesk. There will probably be a lot more requests for password resets and unlocking accounts. IMHO, Buz Scott Bradner wrote:what problem are you trying to solve with 15 character passwords if you have a limit on incorrect password guesses then going from 8 to 15 characters makes no difference to fighting a guessing attack the only threats I can see where going to 15 characters would make a possible difference is watching over someone's shoulder to catch a password and leaving the password file some place it can be grabbed for a brute force attack am I missing something? the main effect I would predict is pissed off users - and that does not seem like a security advantage Scott ********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
-- ---- Buz Dale buz.dale () usg edu IT Security Specialist 1-888-875-3697 Office of Information and Instructional Technology University System of Georgia ********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: 15 character minimum passwords, (continued)
- Re: 15 character minimum passwords Rich Graves (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Gary Dobbins (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Buz Dale (Jul 09)
- Re: 15 character minimum passwords Matthew Keller (Jul 09)
- Re: 15 character minimum passwords Melissa Guenther (Jul 09)
- Re: 15 character minimum passwords Leslie Maltz (Jul 09)
- Re: 15 character minimum passwords Jim Loter (Jul 09)
- Re: 15 character minimum passwords Bill Frazier (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)
- Re: 15 character minimum passwords Wayne Wilson (Jul 09)
- Re: 15 character minimum passwords Scott Bradner (Jul 09)
- Re: 15 character minimum passwords Lucas, Bryan (Jul 09)
- Re: 15 character minimum passwords Gary Flynn (Jul 09)