Re: 15 character minimum passwords

[Jim Loter <jloter () ENGR WASHINGTON EDU>]

The reason Windows 15+ character passwords/phrases are harder to crack
is that Windows doesn't generate LM hashes (the 7/7 split) for passwords
of >= 15 characters, so traditional Windows password cracking techniques
won't work against 15+ character passwords. That's not to say that other
methods won't work. It just means the common LM vulnerability is resolved.

There's some recent research that debunks the notion that longer
passwords are inherently harder for users to remember. It claims that
mnemonic passwords are about equivilent in security to random passwords
and are just about as easy for users to remember than "naively selected"
passwords (i.e. dictionary words or variations on names). The trouble,
of course, is getting them to follow the guidelines and not complain
about them.

Another thing the research demonstrated was that ALL 6-character
passwords, regardless of complexity, are easily suseptible to brute
force attacks.

Full report here: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf

====================================
*Jim Loter*
*Director of Computing Services*
University of Washington College of Engineering
70e Wilcox Hall - Box 352180
Seattle, WA 98195
Phone: 206-543-1791 ~ Fax: 206-543-1018
====================================


----- Original Message -----
From: Todd Gunter
Sent: 7/8/2004 1:02 PM

> Has anyone adopted the use of 15 character minimum passwords?
>
> We are going to start using this password format when we migrate to Windows 2003.  I was wondering if anyone has 
> started to use this format and what, if any, issues you had using them?
>
> We see this as a simpler approach to passwords.  Fifteen character password with complexity is simply 
> 'Ihaveabigmouth.'.  They are also supposed to much harder to crack.
>
> Please let me know your experiences with this move and any bumps in the road to look out for.
>
> Thanks,
> Todd :)>
>
>
>
> -----------------------------
> Todd Gunter
> Director, Management Information Systems
> Information Technologies Project Manager
> 45 Ferry St
> Troy, NY 12180
> guntet () sage edu (work email)
> 518-857-6754 (cell)
> 518-244-2088 (office)
> 518-244-2460 (fax)
> ~~~ "If you focus on quality today, it will, in the long term, pay benefits" ~~~
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature